Skip to main content
W&B Fully Connected
>
Articles

Integrating Weights & Biases with Single Sign-On (SSO) using Okta and OIDC

Learn how to integrate W&B with Okta and OIDC in this step-by-step tutorial
Justin Tenuto
Created on September 26|Last edited on September 26
Ensuring secure and efficient access to tools is paramount for teams and organizations building real-world ML. Weights & Biases offers robust solutions tailored to meet your operational and security requirements.
In this piece, we'll look at how you can use Single Sign-On (SSO) with Okta and OIDC and walk you through it, step-by-step.
First, you'll want to "Create App Integration" and select both "OIDC OpenID Connect" and "Single-Page Application."

Next, you'll need to enter some data so the integration works properly. You'll fill out:
  1. App integration name: "W&B"
  2. Grant type: Check both "Authorization Code" and "Implicit (hybrid)"
  3. Sign-in redirect URIs: https://<WABDB FQDN>/oidc/callback
  4. Sign-out redirect URIs: https://<WABDB FQDN>/logout
  5. Assignments: Configure according to your needs.
Then save. That'll look something like this:


After that configuration, copy the Client ID and the Issuer URL. That will usually be something like https://<COMPANY>.okta.com.
Once those are entered, access the system admin page https://<WABDB FQDN>/system-admin and switch SSO on. You'll need to fill in the fields "OIDC Client ID" and "OIDC Issuer."

Then click "Update Settings" at the bottom of the page.
In some cases, the "Authentication Method" configuration must be different from "Implicit Flow," for example, with PKCE. In these cases, we recommend updating the deployment via environment variables. If you used our Terraform Module to deploy W&B, you must set up the following input variables:
oidc_client_id = "0oaerfswkrxGBpWUQ5d7"
oidc_issuer = "https://dev-53803758-admin.okta.com/"
oidc_auth_method = "pkce"
Then, after running the "terraform plan," you should see the following output:
                      ~ env {
                            name  = "OIDC_CLIENT_ID"
                          + value = "0oaerfswkrxGBpWUQ5d7"
                        }
                      ~ env {
                            name  = "OIDC_AUTH_METHOD"
                          ~ value = "implicit" -> "pkce"
                        }
                      ~ env {
                            name  = "OIDC_ISSUER"
                          + value = "https://dev-53803758-admin.okta.com/"
                        }
At this point, you can run the "terraform apply" to reconfigure W&B and head to the login page, where after clicking on Login, you will be redirected to the Okta SSO page.
Often after finish the configuration and attempt to execute the login, a message request from invalid origin: null
This means the authentication flow was initiated with one endpoint but due a potential redirection in the IdP the origin from the response comes from a different endpoint, which is set to null
To get this problem fixed, the environment variable GORILLA_CORS_ORIGINS must be set in the deployment according to the example below.
other_wandb_env = {
	GORILLA_CORS_ORIGINS = "https://<WABDB FQDN>, null"
}
With that set, re-run the terraform to apply the new changes.

Tags: Articles, W&B Features

Created with ❤️ on Weights & Biases.

https://wandb.ai/wandb_fc/product-announcements-fc/reports/Integrating-Weights-Biases-with-Single-Sign-On-SSO-using-Okta-and-OIDC--Vmlldzo5NTEwOTcw
Made with Weights & Biases. Sign up or log in to create reports like this one.
Iterate on AI agents and models faster. Try Weights & Biases today.
Sign upTry W&B now