How to add members with signups disabled?
Hi, we are self hosting Langfuse and have disabled signups since we don’t want any random person to be able to access the server. However, when I add a member in the UI, how are they supposed to login/create their account? Adding a project member doesn’t send an email and just stays as pending invite, and the user is unable to signup.
10 Replies
Same issue as I raised earlier: https://github.com/orgs/langfuse/discussions/1391
GitHub
Enhancements for Langfuse User Sign-Up Control · langfuse · Discuss...
The Challenge We've observed a significant hurdle in preventing unauthorized sign-ups on self-hosted Langfuse instances. Scenario 1 Imagine a scenario where you want only invited users to sign ...
@mburst Agree that this is not completely solved right now, but most teams shift the logic of which users should be able to access the application to teir auth provider. Which auth provider do you use?
We use Okta
Do you manage groups which should be able to sign in/up for langfuse in okta?
If yes, you could disable email/pw auth via
AUTH_DISABLE_USERNAME_PASSWORD, thus only users who are granted access to langfuse in okta can actually access itOk thanks for that. SSO is on the list of things to do but it’s a different team that manages that, which is an issue. Sounds like we’ll need to see about expediting that process.
This makes sense. Otherwise you’ll replicate this logic in two places, once in Okta and once again in Langfuse.
When we setup SSO, do we reenable signups? Or keep that off?
Yeah I came across this too, had to turn the env variable back on temporarily so they could join via Google OAuth, then turn it off again
I added the member in admin console, but they still need to sign in
reenable sign ups, your authentication provider will then gate who gets access, no need to do this on the langfuse side
Thanks!