Configure SSO with OIDC ↗

wandb guide intermediate configuration deployment

Original Documentation

Documentation Index#
Fetch the complete documentation index at: https://docs.wandb.ai/llms.txt Use this file to discover all available pages before exploring further.

W&B’s support for OpenID Connect (OIDC) compatible identity providers allows for management of user identities and group memberships through external identity providers like Okta, Keycloak, Auth0, Google, and Entra.

OpenID Connect (OIDC)#

W&B supports the following OIDC authentication flows for integrating with external Identity Providers (IdPs).

Implicit Flow with Form Post
Authorization Code Flow with Proof Key for Code Exchange (PKCE)

These flows authenticate users and provide W&B with the necessary identity information (in the form of ID tokens) to manage access control.

The ID token is a JWT that contains the user’s identity information, such as their name, username, email, and group memberships. W&B uses this token to authenticate the user and map them to appropriate roles or groups in the system.

In the context of W&B, access tokens authorize requests to APIs on behalf of the user, but since W&B’s primary concern is user authentication and identity, it only requires the ID token.

You can use environment variables to configure IAM options for your Dedicated Cloud or Self-Managed instance.

To assist with configuring Identity Providers for Dedicated Cloud or Self-Managed W&B installations, follow these guidelines to follow for various IdPs. If you’re using the SaaS version of W&B, reach out to support@wandb.com for assistance in configuring an Auth0 tenant for your organization.

Configure your IdP#

This section shows how to configure your identity provider (IdP) for OIDC. Select the tab for your IdP for details.

Follow the procedure below to set up AWS Cognito for authorization:

First, sign in to your AWS account and navigate to the AWS Cognito App.
Provide an allowed callback URL to configure the application in your IdP:
- Add http(s)://YOUR-W&B-HOST/oidc/callback as the callback URL. Replace YOUR-W&B-HOST with your W&B host path.
If your IdP supports universal logout, set the Logout URL to http(s)://YOUR-W&B-HOST. Replace YOUR-W&B-HOST with your W&B host path.
For example, if your application was running at https://wandb.mycompany.com, you would replace YOUR-W&B-HOST with wandb.mycompany.com.
The image below demonstrates how to provide allowed callback and sign-out URLs in AWS Cognito.
wandb/local uses the implicit grant with the form_post response type by default.
You can also configure wandb/local to perform an authorization_code grant that uses the PKCE Code Exchange flow.
Select one or more OAuth grant types to configure how AWS Cognito delivers tokens to your app.
W&B requires specific OpenID Connect (OIDC) scopes. Select the following from AWS Cognito App:
- “openid”
- “profile”
- “email”
For example, your AWS Cognito App UI should look similar to the following image:
Select the Auth Method in the settings page or set the OIDC_AUTH_METHOD environment variable to tell wandb/local which grant to.
You must set the Auth Method to pkce.
You need a Client ID and the URL of your OIDC issuer. The OpenID discovery document must be available at $OIDC_ISSUER/.well-known/openid-configuration
For example, , you can generate your issuer URL by appending your User Pool ID to the Cognito IdP URL from the App Integration tab within the User Pools section:
Do not use the “Cognito domain” for the IDP URL. Cognito provides it’s discovery document at https://cognito-idp.$REGION.amazonaws.com/$USER_POOL_ID

Next, Set up SSO in W&B.

Follow the procedure below to set up Okta for authorization:

Log in to the Okta Portal.
On the left side, select Applications and then Applications again.
Click on “Create App integration.”
On the screen named “Create a new app integration,” select OIDC - OpenID Connect and Single-Page Application. Then click “Next.”
On the screen named “New Single-Page App Integration,” fill out the values as follows and click Save:
- App integration name, for example “W&B”
- Grant type: Select both Authorization Code and Implicit (hybrid)
- Sign-in redirect URIs: https://YOUR_W_AND_B_URL/oidc/callback
- Sign-out redirect URIs: https://YOUR_W_AND_B_URL/logout
- Assignments: Select Skip group assignment for now
On the overview screen of the Okta application that you just created, make note of the Client ID under Client Credentials under the General tab:
To identify the Okta OIDC Issuer URL, select Settings and then Account on the left side. The Okta UI shows the company name under Organization Contact.

The OIDC issuer URL has the following format: https://COMPANY.okta.com. Replace COMPANY with the corresponding value. Make note of it.

Next, Set up SSO in W&B.

Azure AD (Entra ID) supports two OIDC configuration modes for W&B. Choose the configuration that matches your security requirements:

Public Client: Uses PKCE without a client secret. Simpler to configure, suitable for most deployments.
Confidential Client: Uses PKCE with a client secret for enhanced security. Required if you need to set the GORILLA_OIDC_SECRET environment variable.

Do not mix configurations. If you select “Single-page application” in Azure AD, do not provide a client secret. If you need a client secret, you must select “Web” as the platform type.

Use this configuration if you do not need to specify a client secret. This configuration is suitable for deployments without advanced security requirements.

1. Log in to the [Azure Portal](https://portal.azure.com/).
2. Navigate to **Microsoft Entra ID** service and select **App registrations** from the left sidebar.
3. Click **New registration** at the top of the page.
4. On the "Register an application" screen, configure the following:
   * **Name**: Enter a descriptive name.
   * **Supported account types**: Keep the default "Single tenant" or modify as needed.
   * **Redirect URI**: Select platform type **Single-page application** and enter `https://YOUR_W_AND_B_URL/oidc/callback`.
   * Click **Register**.
5. After registration, note the following values from the Overview page:
   * **Application (client) ID**: Your OIDC Client ID.
   * **Directory (tenant) ID**: Your OIDC Issuer URL.
   
     <img src="https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=e68ed7db543a4e87778e4d62eb8b507c" alt="Application and Directory IDs" data-og-width="3022" width="3022" data-og-height="1328" height="1328" data-path="images/hosting/entra_app_overview_make_note.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=280&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=76b5e194c731af33565621478d07468d 280w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=560&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=21022647043dd90eab9de220a415f3de 560w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=840&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=9eb7c1a48a4ce6de2ddd6e4c10b0254c 840w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=1100&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=0d9d77fa0e377c329361861e7c262e50 1100w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=1650&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=66e23e9463b28bfd9efd69dc68df0f00 1650w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=2500&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=0b8447f4aa1ce72d867b7c3b7e6ee1d6 2500w" />
   
6. Configure authentication settings:
   * Select **Authentication** from the left sidebar.
   * Under **Front-channel logout URL**, enter `https://YOUR_W_AND_B_URL/logout`.
   * Click **Save**.

Make a note of the following details:

* **OIDC Client ID**: The Application (client) ID from step 5
* **OIDC Issuer URL**: `https://login.microsoftonline.com/{TenantID}/v2.0` (replace {TenantID} with your Directory ID from step 5)

When configuring W\&B, use:

* **Auth Method**: `pkce`
* **OIDC Client Secret**: Leave empty (do not set `GORILLA_OIDC_SECRET`)

Next, [Set up SSO in W\&B](#set-up-sso-in-w%26b).

Use this configuration if you need to authenticate using a client secret.

1. Log in to the [Azure Portal](https://portal.azure.com/).
2. Navigate to **Microsoft Entra ID** service and select **App registrations** from the left sidebar.
3. Click **New registration** at the top of the page.
4. On the "Register an application" screen, configure the following:
   * **Name**: Enter a descriptive name.
   * **Supported account types**: Keep the default "Single tenant" or modify as needed.
   * **Redirect URI**: Select platform type **Web** and enter `https://YOUR_W_AND_B_URL/oidc/callback`.
   * Click **Register**.
5. After registration, note the following values from the Overview page:
   * **Application (client) ID**: Your OIDC Client ID.
   * **Directory (tenant) ID**: Your OIDC Issuer URL.
   
     <img src="https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=e68ed7db543a4e87778e4d62eb8b507c" alt="Application and Directory IDs" data-og-width="3022" width="3022" data-og-height="1328" height="1328" data-path="images/hosting/entra_app_overview_make_note.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=280&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=76b5e194c731af33565621478d07468d 280w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=560&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=21022647043dd90eab9de220a415f3de 560w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=840&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=9eb7c1a48a4ce6de2ddd6e4c10b0254c 840w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=1100&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=0d9d77fa0e377c329361861e7c262e50 1100w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=1650&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=66e23e9463b28bfd9efd69dc68df0f00 1650w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_app_overview_make_note.png?w=2500&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=0b8447f4aa1ce72d867b7c3b7e6ee1d6 2500w" />
   
6. Configure authentication settings:
   * Select **Authentication** from the left sidebar.
   * Under **Front-channel logout URL**, enter `https://<YOUR_W_AND_B_URL>/logout`.
   * Click **Save**
7. Create a client secret:
   * Select **Certificates & secrets** from the left sidebar.
   * Click **New client secret**.
   * Add a description for the secret.
   * Choose an expiration period.
   * Click **Add**. <span class="callout-start" data-callout-type="warning"></span>Copy and save the secret **Value** immediately (not the Secret ID)<span class="callout-end"></span>.
   
     <img src="https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_make_note_of_secret_value.png?fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=b7992bdb1f347eb66e9ab9d3187d591f" alt="Client secret value" data-og-width="2156" width="2156" data-og-height="646" height="646" data-path="images/hosting/entra_make_note_of_secret_value.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_make_note_of_secret_value.png?w=280&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=a6e7ecf6109f5ba2edc377d00d322689 280w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_make_note_of_secret_value.png?w=560&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=837b292926781815a3a5a5bc65c81c27 560w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_make_note_of_secret_value.png?w=840&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=555b08f846e581602d349cca9eb8810e 840w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_make_note_of_secret_value.png?w=1100&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=a3626669a9da31bc493db77d05aa53eb 1100w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_make_note_of_secret_value.png?w=1650&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=e2fcbca856c94636360f5ccc4210d1db 1650w, https://mintcdn.com/wb-21fd5541/7mSicW8MfO9qZmb2/images/hosting/entra_make_note_of_secret_value.png?w=2500&fit=max&auto=format&n=7mSicW8MfO9qZmb2&q=85&s=ec8df743932541ca156e2d8d0cc3e834 2500w" />
   

Make a note of the following details:

* **OIDC Client ID**: The Application (client) ID from step 5.
* **OIDC Client Secret**: The secret value from step 7.
* **OIDC Issuer URL**: `https://login.microsoftonline.com/{TenantID}/v2.0` (replace {TenantID} with your Directory ID from step 5).

When configuring W\&B, use:

* **Auth Method**: `pkce`
* **OIDC Client Secret**: Set the `GORILLA_OIDC_SECRET` environment variable to the secret value from step 7

<span class="callout-start" data-callout-type="note"></span>
  The v2.0 endpoint supports both personal Microsoft accounts and work/school accounts. If your organization requires the v1.0 endpoint, use `https://login.microsoftonline.com/{TenantID}` instead.
<span class="callout-end"></span>

Next, [Set up SSO in W\&B](#set-up-sso-in-w%26b).

Set up SSO in W&B#

To set up SSO, you need administrator privileges and the following information:

OIDC Client ID
OIDC Auth method (implicit or pkce)
OIDC Issuer URL
OIDC Client Secret (optional; depends on how you have setup your IdP)

If your IdP requires a OIDC Client Secret, specify it by passing the environment variables GORILLA_OIDC_SECRET.

In the W&B App, go to System Console > Settings > Advanced > User Spec and add GORILLA_OIDC_SECRET to the extraENV section as shown below.

In Helm, configure values.global.extraEnv as shown below.

values:
global:
    extraEnv:
    GORILLA_OIDC_SECRET="<your_secret>"

If you’re unable to log in to your instance after configuring SSO, you can restart the instance with the LOCAL_RESTORE=true environment variable set. This outputs a temporary password to the containers logs and disables SSO. Once you’ve resolved any issues with SSO, you must remove that environment variable to enable SSO again.

The System Console is the successor to the System Settings page. It is available with the W&B Kubernetes Operator based deployment.

Refer to Access the W&B Management Console.
Navigate to Settings, then Authentication. Select OIDC in the Type dropdown.
Enter the values.
Click on Save.
Log out and then log back in, this time using the IdP login screen.

Find your customer namespace#

Before you can configure team-level BYOB with CoreWeave storage on W&B Dedicated Cloud or Self-Managed, you need to obtain your organization’s Customer Namespace. You can view and copy it from the bottom of the Authentication tab.

For detailed instructions on configuring CoreWeave storage with your Customer Namespace, see CoreWeave requirements for Dedicated Cloud / Self-Managed.

Sign in to your Weights&Biases instance.
Navigate to the W&B App.
From the dropdown, select System Settings:
Enter your Issuer, Client ID, and Authentication Method.
Select Update settings.

If you’re unable to log in to your instance after configuring SSO, you can restart the instance with the LOCAL_RESTORE=true environment variable set. This outputs a temporary password to the containers logs and turn off SSO. Once you’ve resolved any issues with SSO, you must remove that environment variable to enable SSO again.

Security Assertion Markup Language (SAML)#

W&B does not support SAML.

Link last verified June 7, 2026. View original ↗

Source: Weights & Biases Docs

Link last verified: 2026-03-04