5a558eb09e
TypeScript SDK Compatibility V1.x E2E Tests / Select Node version matrix (push) Has been cancelled
TypeScript SDK Compatibility V1.x E2E Tests / TypeScript SDK Compatibility V1.x E2E Tests Node ${{matrix.node_version}} (push) Has been cancelled
TypeScript SDK E2E Tests / TypeScript SDK E2E Tests Node ${{matrix.node_version}} (push) Has been cancelled
Opik Optimizer - E2E Tests / build-opik (push) Has been cancelled
TypeScript SDK Compatibility V1.x E2E Tests / build-opik (push) Has been cancelled
Python SDK E2E Tests / Select Python version matrix (push) Has been cancelled
Python SDK E2E Tests / Python SDK E2E Tests ${{matrix.python_version}} (push) Has been cancelled
Python SDK E2E Tests / build-opik (push) Has been cancelled
Python SDK Compatibility V1.x E2E Tests / Select Python version matrix (push) Has been cancelled
Python SDK Compatibility V1.x E2E Tests / Python SDK Compatibility V1.x E2E Tests ${{matrix.python_version}} (push) Has been cancelled
Python SDK Compatibility V1.x E2E Tests / build-opik (push) Has been cancelled
TypeScript SDK E2E Tests / Select Node version matrix (push) Has been cancelled
TypeScript SDK E2E Tests / build-opik (push) Has been cancelled
Opik Optimizer - E2E Tests / Opik Optimizer E2E Tests Python ${{matrix.python_version}} (push) Has been cancelled
Opik Optimizer - E2E Tests / Opik Optimizer Integration Smoke Tests (push) Has been cancelled
🐙 Code Quality / detect (push) Has been cancelled
🐙 Code Quality / lint (${{ matrix.leg.name }}) (push) Has been cancelled
🐙 Code Quality / summary (push) Has been cancelled
TypeScript SDK Library Integration Tests / Check Secrets (push) Has been cancelled
TypeScript SDK Library Integration Tests / opik-vercel (Vercel AI SDK / eve) (push) Has been cancelled
SDK Library Integration Tests Runner / Check Secrets (push) Has been cancelled
SDK Library Integration Tests Runner / Missed OpenAI API Key Warning (push) Has been cancelled
SDK Library Integration Tests Runner / Build (push) Has been cancelled
SDK Library Integration Tests Runner / openai_tests (push) Has been cancelled
SDK Library Integration Tests Runner / langchain_tests (push) Has been cancelled
SDK Library Integration Tests Runner / langchain_legacy_tests (push) Has been cancelled
SDK Library Integration Tests Runner / llama_index_tests (push) Has been cancelled
SDK Library Integration Tests Runner / anthropic_tests (push) Has been cancelled
SDK Library Integration Tests Runner / mistral_tests (push) Has been cancelled
SDK Library Integration Tests Runner / groq_tests (push) Has been cancelled
SDK Library Integration Tests Runner / aisuite_tests (push) Has been cancelled
SDK Library Integration Tests Runner / haystack_tests (push) Has been cancelled
SDK Library Integration Tests Runner / dspy_tests (push) Has been cancelled
SDK Library Integration Tests Runner / crewai_v0_tests (push) Has been cancelled
SDK Library Integration Tests Runner / crewai_v1_tests (push) Has been cancelled
SDK Library Integration Tests Runner / genai_tests (push) Has been cancelled
SDK Library Integration Tests Runner / adk_tests (push) Has been cancelled
SDK Library Integration Tests Runner / adk_legacy_1_3_0_tests (push) Has been cancelled
SDK Library Integration Tests Runner / evaluation_metrics_tests (push) Has been cancelled
SDK Library Integration Tests Runner / bedrock_tests (push) Has been cancelled
SDK Library Integration Tests Runner / litellm_tests (push) Has been cancelled
SDK Library Integration Tests Runner / harbor_tests (push) Has been cancelled
SDK Library Integration Tests Runner / Slack Notification (push) Has been cancelled
Lint Opik Helm Chart / render-equality (push) Has been cancelled
Opik Optimizer - Unit Tests / Opik Optimizer Unit Tests Python ${{matrix.python_version}} (push) Has been cancelled
Python BE E2E Tests / Python BE E2E (push) Has been cancelled
Python Backend Tests / run-python-backend-tests (push) Has been cancelled
Python SDK Unit Tests / Python SDK Unit Tests ${{matrix.python_version}} (push) Has been cancelled
Release Drafter / update_release_draft (push) Has been cancelled
SDK E2E Libraries Integration Tests / Check Secrets (push) Has been cancelled
SDK E2E Libraries Integration Tests / Missed OpenAI API Key Warning (push) Has been cancelled
SDK E2E Libraries Integration Tests / build-opik (push) Has been cancelled
SDK E2E Libraries Integration Tests / E2E Lib Integration Python ${{matrix.python_version}} (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-gemini) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-langchain) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-openai) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-otel) (push) Has been cancelled
TypeScript SDK Integration Build & Publish / build-and-publish (opik-vercel) (push) Has been cancelled
TypeScript SDK Build & Publish / build-and-publish (push) Has been cancelled
TypeScript SDK Unit Tests / Test on Node ${{ matrix.node-version }} (push) Has been cancelled
Backend Tests / discover-tests (push) Has been cancelled
Backend Tests / ${{ matrix.name }} (push) Has been cancelled
Build and Publish SDK / build-and-publish (push) Has been cancelled
Build Opik Docker Images / set-version (push) Has been cancelled
Build Opik Docker Images / build-backend (push) Has been cancelled
Build Opik Docker Images / build-sandbox-executor-python (push) Has been cancelled
Build Opik Docker Images / build-python-backend (push) Has been cancelled
Build Opik Docker Images / build-frontend (push) Has been cancelled
Build Opik Docker Images / create-git-tag (push) Has been cancelled
ClickHouse Migration Cluster Check / validate-clickhouse-migrations (push) Has been cancelled
Docs - Publish / run (push) Has been cancelled
E2E Tests - Post Merge (v2) / 🧪 E2E v2 Tests (${{ github.event.inputs.tier || 't1' }}) (push) Has been cancelled
E2E Tests - Post Merge (v2) / 📢 Slack Notification (push) Has been cancelled
Frontend Unit Tests / Test on Node 20 (push) Has been cancelled
Guardrails E2E Tests / Select Python version matrix (push) Has been cancelled
Guardrails E2E Tests / Guardrails E2E Tests ${{matrix.python_version}} (push) Has been cancelled
Guardrails E2E Tests / 📢 Slack Notification (push) Has been cancelled
Guardrails Backend Unit Tests / Guardrails Backend Unit Tests (push) Has been cancelled
Guardrails Backend Unit Tests / 📢 Slack Notification (push) Has been cancelled
Lint Opik Helm Chart / lint-helm-chart (Helm v3.21.0) (push) Has been cancelled
Lint Opik Helm Chart / lint-helm-chart (Helm v4.2.0) (push) Has been cancelled
Lint Opik Helm Chart / unittest-helm-chart (push) Has been cancelled
352 lines
12 KiB
Plaintext
352 lines
12 KiB
Plaintext
---
|
|
headline: OIDC SSO Configuration | Opik Documentation
|
|
og:description: Learn how to configure OpenID Connect (OIDC) single sign-on for your Opik organization.
|
|
og:site_name: Opik Documentation
|
|
og:title: 'Configure OIDC SSO in Opik: Step-by-Step Guide'
|
|
subtitle: Setting up OpenID Connect authentication with your identity provider
|
|
title: OIDC SSO
|
|
canonical-url: https://www.comet.com/docs/opik/administration/authentication/oidc
|
|
---
|
|
|
|
OpenID Connect (OIDC) is a modern authentication protocol built on OAuth 2.0. This guide walks you through configuring OIDC SSO for your Opik organization.
|
|
|
|
<Note>
|
|
OIDC SSO is available on Enterprise plans. This feature is not available in open-source deployments. [Reach out](https://www.comet.com/site/about-us/contact-us/) if you want to enable this feature for your Opik deployment.
|
|
</Note>
|
|
|
|
## Prerequisites
|
|
|
|
Before you begin, ensure you have:
|
|
|
|
- **Organization admin access** to Opik
|
|
- **Admin access** to your identity provider that supports OIDC
|
|
- **Enterprise plan** enabled for your organization
|
|
- **Email domain** you want to use for SSO (e.g., `company.com`)
|
|
|
|
## OIDC vs. SAML
|
|
|
|
OIDC offers several advantages over SAML:
|
|
|
|
| Feature | OIDC | SAML |
|
|
| --- | --- | --- |
|
|
| Protocol | REST/JSON-based | XML-based |
|
|
| Token format | JWT | XML assertions |
|
|
| Setup complexity | Simpler | More complex |
|
|
| Mobile/API friendly | Yes | Limited |
|
|
| Workspace sync | Via default workspace | Via attribute mapping |
|
|
|
|
Choose OIDC when:
|
|
|
|
- Your IdP supports OIDC (most modern IdPs do)
|
|
- You prefer simpler configuration
|
|
- You don't need attribute-based workspace sync
|
|
|
|
Choose [SAML](/v1/administration/authentication/saml) when:
|
|
|
|
- You need automatic workspace assignment based on user attributes
|
|
- Your organization requires SAML specifically
|
|
|
|
## Configuration overview
|
|
|
|
Setting up OIDC SSO involves:
|
|
|
|
1. **Register Opik** in your identity provider as an OIDC application.
|
|
2. **Configure Opik** with your IdP's OIDC endpoints and credentials.
|
|
|
|
## Step 1: Register Opik in your IdP
|
|
|
|
Create a new OIDC/OAuth application in your identity provider:
|
|
|
|
### Application settings
|
|
|
|
| Setting | Value |
|
|
| --- | --- |
|
|
| **Application type** | Web application |
|
|
| **Grant type** | Authorization Code |
|
|
| **Redirect/Callback URL** | `https://www.comet.com/opik/oauth/callback/<organization-id>` |
|
|
|
|
<Tip>
|
|
The exact callback URL will be displayed in your Opik SSO configuration page. Copy it directly from there.
|
|
</Tip>
|
|
|
|
### Required scopes
|
|
|
|
Ensure your OIDC application requests these scopes:
|
|
|
|
- `openid` - Required for OIDC
|
|
- `profile` - User profile information
|
|
- `email` - User's email address
|
|
|
|
## Step 2: Gather IdP information
|
|
|
|
After registering the application, collect the following from your IdP:
|
|
|
|
| Information | Description | Where to find |
|
|
| --- | --- | --- |
|
|
| **Client ID** | Unique identifier for your application | IdP application settings |
|
|
| **Client Secret** | Secret key for authentication | IdP application settings |
|
|
| **Authorization URL** | Endpoint for authorization requests | IdP documentation or well-known endpoint |
|
|
| **Token URL** | Endpoint to exchange codes for tokens | IdP documentation or well-known endpoint |
|
|
| **User Info URL** | Endpoint to fetch user profile | IdP documentation or well-known endpoint |
|
|
|
|
<Tip>
|
|
**Well-known endpoint**: Most OIDC providers expose a discovery document at `/.well-known/openid-configuration` containing all endpoint URLs.
|
|
</Tip>
|
|
|
|
## Step 3: Configure Opik
|
|
|
|
1. Navigate to **Admin Dashboard** > **SSO Configuration**.
|
|
2. Select **OIDC** as the SSO protocol.
|
|
3. Enter the following settings:
|
|
|
|
### Required OIDC settings
|
|
|
|
| Field | Description | Example |
|
|
| --- | --- | --- |
|
|
| **Domain** | Email domain for SSO users | `company.com` |
|
|
| **Client ID** | Application identifier from your IdP | `abc123xyz` |
|
|
| **Client Secret** | Secret key from your IdP | `secret_...` |
|
|
| **Authorization URL** | IdP's authorization endpoint | `https://idp.company.com/oauth/authorize` |
|
|
| **Token URL** | IdP's token endpoint | `https://idp.company.com/oauth/token` |
|
|
| **Callback URL** | Opik's callback URL | `https://www.comet.com/opik/oauth/callback/...` |
|
|
| **User Info URL** | IdP's user info endpoint | `https://idp.company.com/oauth/userinfo` |
|
|
|
|
### Optional OIDC settings
|
|
|
|
| Field | Description | Default |
|
|
| --- | --- | --- |
|
|
| **Default Workspace** | Workspace for new SSO users | Organization default |
|
|
| **Application Resource ID** | Custom resource identifier | Not set |
|
|
|
|
## Field reference
|
|
|
|
### Client ID
|
|
|
|
The unique identifier assigned to Opik when you registered it with your IdP:
|
|
|
|
- Created when you register the application
|
|
- Used in authorization requests to identify Opik
|
|
- Should be treated as public (not secret)
|
|
|
|
### Client Secret
|
|
|
|
The secret key used to authenticate Opik with your IdP:
|
|
|
|
- Created when you register the application
|
|
- Used when exchanging authorization codes for tokens
|
|
- **Must be kept secret** - never expose in client-side code
|
|
|
|
<Warning>
|
|
**Security**: The client secret is sensitive. If compromised, regenerate it in your IdP and update the configuration in Opik.
|
|
</Warning>
|
|
|
|
### Authorization URL (Auth Base URL)
|
|
|
|
The endpoint where users are redirected to authenticate:
|
|
|
|
```
|
|
https://idp.company.com/oauth/authorize
|
|
```
|
|
|
|
This URL receives authorization requests with:
|
|
|
|
- `client_id` - Your application's client ID
|
|
- `redirect_uri` - The callback URL
|
|
- `scope` - Requested permissions
|
|
- `response_type` - Always `code` for authorization code flow
|
|
- `state` - Security parameter to prevent CSRF
|
|
|
|
### Token URL (Access Token URL)
|
|
|
|
The endpoint where Opik exchanges authorization codes for access tokens:
|
|
|
|
```
|
|
https://idp.company.com/oauth/token
|
|
```
|
|
|
|
Opik sends a POST request with:
|
|
|
|
- `grant_type` - Always `authorization_code`
|
|
- `code` - The authorization code received
|
|
- `redirect_uri` - The callback URL
|
|
- `client_id` and `client_secret` - For authentication
|
|
|
|
### Callback URL
|
|
|
|
The URL where your IdP redirects users after authentication:
|
|
|
|
```
|
|
https://www.comet.com/opik/oauth/callback/<organization-id>
|
|
```
|
|
|
|
- Must be registered in your IdP's allowed redirect URIs
|
|
- Must match exactly (including trailing slashes)
|
|
- Opik generates this URL based on your organization ID
|
|
|
|
### Protected Resource URL (User Info URL)
|
|
|
|
The endpoint where Opik fetches user profile information:
|
|
|
|
```
|
|
https://idp.company.com/oauth/userinfo
|
|
```
|
|
|
|
Opik uses the access token to request:
|
|
|
|
- `sub` - User's unique identifier
|
|
- `email` - User's email address
|
|
- `name` - User's display name
|
|
|
|
### Default Workspace
|
|
|
|
When users authenticate via OIDC for the first time:
|
|
|
|
- They are added to the **default workspace** specified in SSO settings.
|
|
- If not specified, they are added to the organization's default workspace.
|
|
- Workspace assignment can be managed manually after initial login.
|
|
|
|
<Note>
|
|
Unlike SAML with workspace sync, OIDC does not support automatic workspace assignment based on user attributes. Users are added to the default workspace on first login.
|
|
</Note>
|
|
|
|
## IdP-specific configuration guides
|
|
|
|
<Tabs>
|
|
<Tab value="okta" title="Okta">
|
|
|
|
### Configuring Okta
|
|
|
|
1. In Okta Admin Console, go to **Applications** > **Create App Integration**.
|
|
2. Select **OIDC - OpenID Connect** and **Web Application**.
|
|
3. Configure settings:
|
|
- **Sign-in redirect URI**: Your callback URL from Opik
|
|
- **Sign-out redirect URI**: `https://www.comet.com/opik`
|
|
- **Controlled access**: Assign users/groups as needed
|
|
4. Note the **Client ID** and **Client Secret**.
|
|
5. Find endpoints in Okta's **OpenID Connect Metadata** or use:
|
|
- Authorization: `https://<your-domain>.okta.com/oauth2/v1/authorize`
|
|
- Token: `https://<your-domain>.okta.com/oauth2/v1/token`
|
|
- User Info: `https://<your-domain>.okta.com/oauth2/v1/userinfo`
|
|
|
|
</Tab>
|
|
<Tab value="azure-ad" title="Azure AD (Entra ID)">
|
|
|
|
### Configuring Azure AD
|
|
|
|
1. In Azure Portal, go to **Azure Active Directory** > **App registrations**.
|
|
2. Click **New registration**:
|
|
- **Name**: Opik
|
|
- **Supported account types**: Choose based on your needs
|
|
- **Redirect URI**: Web, your callback URL from Opik
|
|
3. After creation, note the **Application (client) ID**.
|
|
4. Go to **Certificates & secrets** > **New client secret** and note the value.
|
|
5. Use these endpoints (replace `<tenant-id>`):
|
|
- Authorization: `https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize`
|
|
- Token: `https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token`
|
|
- User Info: `https://graph.microsoft.com/oidc/userinfo`
|
|
|
|
</Tab>
|
|
<Tab value="google" title="Google Workspace">
|
|
|
|
### Configuring Google Workspace
|
|
|
|
1. Go to [Google Cloud Console](https://console.cloud.google.com/).
|
|
2. Create or select a project.
|
|
3. Go to **APIs & Services** > **Credentials**.
|
|
4. Click **Create Credentials** > **OAuth client ID**.
|
|
5. Configure:
|
|
- **Application type**: Web application
|
|
- **Authorized redirect URIs**: Your callback URL from Opik
|
|
6. Note the **Client ID** and **Client Secret**.
|
|
7. Use these endpoints:
|
|
- Authorization: `https://accounts.google.com/o/oauth2/v2/auth`
|
|
- Token: `https://oauth2.googleapis.com/token`
|
|
- User Info: `https://openidconnect.googleapis.com/v1/userinfo`
|
|
|
|
</Tab>
|
|
<Tab value="auth0" title="Auth0">
|
|
|
|
### Configuring Auth0
|
|
|
|
1. In Auth0 Dashboard, go to **Applications** > **Create Application**.
|
|
2. Select **Regular Web Applications**.
|
|
3. Configure settings:
|
|
- **Allowed Callback URLs**: Your callback URL from Opik
|
|
- **Allowed Logout URLs**: `https://www.comet.com/opik`
|
|
4. Note the **Domain**, **Client ID**, and **Client Secret**.
|
|
5. Use these endpoints (replace `<your-domain>`):
|
|
- Authorization: `https://<your-domain>.auth0.com/authorize`
|
|
- Token: `https://<your-domain>.auth0.com/oauth/token`
|
|
- User Info: `https://<your-domain>.auth0.com/userinfo`
|
|
|
|
</Tab>
|
|
</Tabs>
|
|
|
|
## Testing the configuration
|
|
|
|
After configuring both Opik and your IdP:
|
|
|
|
1. **Open an incognito/private browser window** (to avoid cached sessions).
|
|
2. Navigate to Opik's login page.
|
|
3. Enter an email address with your configured domain.
|
|
4. You should be redirected to your IdP for authentication.
|
|
5. After authenticating, you should be redirected back to Opik and logged in.
|
|
|
|
## Troubleshooting
|
|
|
|
### Common issues
|
|
|
|
| Issue | Possible cause | Solution |
|
|
| --- | --- | --- |
|
|
| "Invalid redirect URI" | Callback URL mismatch | Verify callback URL matches exactly in both Opik and IdP |
|
|
| "Invalid client" | Wrong client ID | Verify client ID is copied correctly |
|
|
| "Invalid client credentials" | Wrong client secret | Verify client secret, regenerate if needed |
|
|
| "Scope not allowed" | IdP scope restrictions | Ensure `openid`, `profile`, `email` scopes are allowed |
|
|
| User not created | Missing email claim | Verify IdP returns email in user info response |
|
|
|
|
### Troubleshooting checklist
|
|
|
|
1. **Verify client credentials**: Double-check client ID and secret.
|
|
2. **Check callback URL**: Must match exactly (including protocol, trailing slashes).
|
|
3. **Validate endpoint URLs**: Ensure all URLs are correct and accessible.
|
|
4. **Review IdP logs**: Check your identity provider's logs for errors.
|
|
5. **Test well-known endpoint**: Verify `/.well-known/openid-configuration` returns valid JSON.
|
|
6. **Check scopes**: Ensure required scopes are configured and allowed.
|
|
|
|
### Debugging with browser tools
|
|
|
|
Use browser developer tools to inspect the authentication flow:
|
|
|
|
1. Open **Network** tab before starting login.
|
|
2. Look for requests to your IdP's authorization endpoint.
|
|
3. Check for error parameters in the callback URL.
|
|
4. Review any error responses from the token endpoint.
|
|
|
|
## Security considerations
|
|
|
|
### Client secret protection
|
|
|
|
- Store the client secret securely in Opik's configuration.
|
|
- Never expose the client secret in logs or client-side code.
|
|
- Rotate the secret periodically per your security policies.
|
|
|
|
### Callback URL validation
|
|
|
|
- Only configure the exact callback URL provided by Opik.
|
|
- Do not add additional redirect URIs unless necessary.
|
|
- Review registered redirect URIs periodically.
|
|
|
|
### Token handling
|
|
|
|
Opik handles tokens securely:
|
|
|
|
- Access tokens are used server-side only.
|
|
- Tokens are not exposed to the browser.
|
|
- Sessions are managed securely after authentication.
|
|
|
|
## Next steps
|
|
|
|
- [Configure SAML](/v1/administration/authentication/saml) if you need workspace sync features.
|
|
- [Set up JWT authentication](/v1/administration/authentication/jwt) for programmatic access.
|
|
- [Manage users](/v1/administration/admin-dashboard/users) and workspace assignments.
|