Okta/SSO

[vladfr1]

Great tool, the team is having a lot of fun with it!! We got everything working with Azure AD.

Any thoughts on a more generic SSO implementation that could support any auth platform? i.e. Okta (our particular use case)?

[danny-avila]

Implementing Auth0 would be pretty involved but not impossible. The original intent with not using Auth0 was to not exclude users in regions where Auth0 is not supported.

[danny-avila]

Revisiting this, FWIW, Okta is working as an OpenID option, i can write a guide soon

[MariusWilsch]

Pleas do!

[vladfr1]

That would be awesome. I am happy to to be a tester.

[danny-avila]

A very quick guide while it's still fresh:

I started with a fresh trial account, and added one user besides myself.

You can setup the app with Okta CLI but you can also do this through Okta's dashboard. I used the CLI.

For the CLI, you need an API key. You can create one via Security > API > Tokens

While we're here, we also need to make sure our Authorization Server has an Access Policy. Unless you are well familiar with this, this is what I did with the default server:

1. Goto Authorization Servers tab, click "default" hyperlink
   

2. Goto Access Policies and create a lenient policy, or however you see fit.
   

Back to the CLI

Start terminal from project directory. Assuming you already have an account, run okta login. Then, run okta apps create.

• Select the default app name (LibreChat), or change it as you see fit.
• Type of Application: Choose Web and press Enter.
• For Framework of Application: Select Other.
• Then, the Redirect URI should be http://localhost:3080/oauth/openid/callback
• use http://localhost:3080/login for the Logout Redirect URI.

It should save an .okta.env file once complete:

Okta application configuration has been written to: /home/danny/LibreChat/.okta.env

export OKTA_OAUTH2_ISSUER="https://trial-ID.okta.com/oauth2/default"
export OKTA_OAUTH2_CLIENT_ID="someID"
export OKTA_OAUTH2_CLIENT_SECRET="someSECRET"

Now, in our LibreChat .env file, we use these values like this:

# OKTA TEST
OPENID_CLIENT_ID=someID
OPENID_CLIENT_SECRET=someSECRET
OPENID_ISSUER=https://trial-ID.okta.com/oauth2/default
OPENID_SESSION_SECRET=secret # you can change this to whatever you'd like, should be some "secret" value
OPENID_SCOPE="openid profile email"
OPENID_CALLBACK_URL=/oauth/openid/callback

In our LibreChat .env file, Double check these values correspond to your deployment URL:

DOMAIN_CLIENT=http://localhost:3080
DOMAIN_SERVER=http://localhost:3080

By default the Okta CLI creates an app that assigns to all users. You may need to review all the bells & whistles Okta offers for this and adjust to your needs.

That's it! You should be able to login with Okta now.

[chengxiangzhu]

OPENID_AUTH_ENABLED=true
OPENID_CLIENT_ID=
OPENID_CLIENT_SECRET=
OPENID_ISSUER=
OPENID_SESSION_SECRET=

After configuring these, click the "Continue with OpenID" button and jump to the URL: https://example.com/oauth/openid. The error message is:
Error: Unknown authentication strategy "openid"
at attempt (/app/node_modules/passport/lib/middleware/authenticate.js:193:39)

[danny-avila]

Updating Instructions (docker):
https://www.librechat.ai/docs/local/docker#update-librechat

[chengxiangzhu]

After the update, the error message still appears.
Run the command "git log"

[chengxiangzhu]

Run the command“git pull”
Already up to date.

[abhishekag03]

@chengxiangzhu I'm facing the same error - "Error: Unknown authentication strategy "openid"'. I have confirmed that I'm on the latest release v0.7.9.
Were you able to fix this? If yes, how?

[vladfr1]

Hi DannyDo you ever do any setup consulting?Vlad Friedman410-960-8520On Sep 25, 2024, at 9:38 AM, ***@***.*** ***@***.*** { font-family: "Cambria Math"; } @font-face { font-family: Calibri; } @font-face { font-family: Aptos; } p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0in; font-size: 12pt; font-family: Aptos, sans-serif; } a:link, span.MsoHyperlink { color: blue; text-decoration: underline; } span.EmailStyle20 { font-family: Aptos, sans-serif; color: windowtext; } .MsoChpDefault { font-size: 11pt; } @page WordSection1 { size: 8.5in 11in; margin: 1in; } div.WordSection1 { page: WordSection1; }That would be awesome.  I am happy to to be a tester.  From: Danny Avila ***@***.***> Sent: Wednesday, September 25, 2024 9:26 AMTo: danny-avila/LibreChat ***@***.***>Cc: vladfr1 ***@***.***>; Author ***@***.***>Subject: Re: [danny-avila/LibreChat] Okta/SSO (Discussion #1750) Revisiting this, FWIW, Okta is working as an OpenID option, i can write a guide soon—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[aitp-john]

@vladfr1 do you still need help with set up?