p5
p511mo ago

SSO-only mode

Is it possible to disable local user creation/signup (username + password) but still allow creating users through SSO? Or how are we supposed to handle adding new users using SSO? We wish to enforce all access using Google SSO and cannot figure out a good way to do this Right now, if we want new SSO users to login but have disabled public signup, we're stuck on the login screen with errors logs saying public signup is disabled. If we remove that environment variable, anybody can create a new user using the "Sign up" button. My view (although it would be different based on different use-cases) are users who login through SSO can be trusted, because these are usually restricted to internal users only in the IDP.
9 Replies
Marc
Marc11mo ago
Hi, not possible as of now. What you could do is to enforce sso for your domain (there’s an env for that), or create an issue/PR to disable email/password auth
p5
p511mo ago
Thanks for the guidance. Will try enforcing SSO for my domain, and maybe later on implementing the SSO-only feature flag.
Marc
Marc11mo ago
Thanks for the PR
Marc
Marc11mo ago
Would this solve your need? https://github.com/langfuse/langfuse/issues/509
GitHub
feat: Allow only SSO account creation · Issue #509 · langfuse/langf...
Describe the feature you'd like to request I would like to allow accounts to be created only through SSO in order to be sure only trusted users have access to langfuse Describe the solution you...
p5
p511mo ago
That looks like exactly what we need. I attempted something in this PR, but I may need guidance to validate everything is working as expected, and if I have done the right thing to begin with. https://github.com/langfuse/langfuse/pull/510
GitHub
feature: SSO Enforced mode by p5 · Pull Request #510 · langfuse/lan...
Creates a flag that disables the use of internal credentials in the case of somebody (e.g. my company) wanting to enforce SSO authentication with an IDP. This is my first attempt at contributing to...
p5
p511mo ago
Will try and rework it to use the AUTH_ALLOWED_SSO_DOMAINS_ONLY suggestion
Marc
Marc11mo ago
Will have a closer look later. Thanks!
p5
p511mo ago
Thanks for merging! And sorry for all the changes that were needed
Marc
Marc11mo ago
No worries Happy to have this merged now, released it and added it to the self-hosting docs