Skip to main content

Configure SSO with OIDC

W&B Server's support for OpenID Connect (OIDC) compatible identity providers allows for management of user identities and group memberships through external identity providers like Okta, Keycloak, Auth0, Google, and Entra.

OpenID Connect (OIDC)

W&B Server supports the following OIDC authentication flows for integrating with external Identity Providers (IdPs).

  1. Implicit Flow with Form Post
  2. Authorization Code Flow with Proof Key for Code Exchange (PKCE)

These flows authenticate users and provide W&B Server with the necessary identity information (in the form of ID tokens) to manage access control.

The ID token is a JWT that contains the user's identity information, such as their name, username, email, and group memberships. W&B Server uses this token to authenticate the user and map them to appropriate roles or groups in the system.

In the context of W&B Server, the access token is not required. Access tokens are typically used to authorize requests to APIs on behalf of the user, but since W&B Server’s primary concern is user authentication and identity, it only requires the ID token.

You can use environment variables to configure IAM options for your Dedicated Cloud or Self-managed instance.

To assist with configuring Identity Providers for Dedicated Cloud or Self-managed W&B Server installations, here are some key guidelines to follow for various IdPs. If you’re using the SaaS version of W&B, reach out to support@wandb.com for assistance in configuring an Auth0 tenant for your organization.

Follow the procedure below to set up AWS Cognito for authorization:

  1. First, sign in to your AWS account and navigate to the AWS Cognito App.

Because we're only using OIDC for authentication and not authorization, public clients simplify setup

  1. Provide an allowed callback URL to configure the application in your IdP:

    • Add http(s)://YOUR-W&B-HOST/oidc/callback as the callback URL. Replace YOUR-W&B-HOST with your W&B host path.
  2. If your IdP supports universal logout, set the Logout URL to http(s)://YOUR-W&B-HOST. Replace YOUR-W&B-HOST with your W&B host path.

For example, if your application was running at https://wandb.mycompany.com, you would replace YOUR-W&B-HOST with wandb.mycompany.com.

The image below demonstrates how to provide allowed callback and sign-out URLs in AWS Cognito.

If your instance is accessible from multiple hosts, be sure to include all of them here.

wandb/local uses the "implicit" grant with the "form_post" response type by default.

You can also configure wandb/local to perform an "authorization_code" grant that uses the PKCE Code Exchange flow.

  1. Select one or more OAuth grant types to configure how AWS Cognito will deliver tokens to your app.
  2. W&B requires specific OpenID Connect (OIDC) scopes. Select the following from AWS Cognito App:
    • "openid"
    • "profile"
    • "email"

For example, your AWS Cognito App UI should look similar to the following image:

openid, profile, and email are required

Select the Auth Method in the settings page or set the OIDC_AUTH_METHOD environment variable to tell wandb/local which grant to.

info

For AWS Cognito providers you must set the Auth Method to "pkce"

  1. You need a Client ID and the URL of your OIDC issuer. The OpenID discovery document must be available at $OIDC_ISSUER/.well-known/openid-configuration

For example, with AWS Cognito, you can generate your issuer URL by appending your User Pool ID to the Cognito IdP URL from the App Integration tab within the User Pools section:

Screenshot of issuer URL in AWS Cognito

info

Do not use the "Cognito domain" for the IDP url. Cognito provides it's discovery document at https://cognito-idp.$REGION.amazonaws.com/$USER_POOL_ID

Set up SSO on the W&B Server

To set up SSO, you need administrator privileges and the following information:

  • OIDC Client ID
  • OIDC Auth method (implicitorpkce`)
  • OIDC Issuer URL
  • OIDC Client Secret (optional; depends on how you have setup your IdP)
info

Should your IdP require a OIDC Client Secret, specify it with the environment variable OIDC_SECRET.

You can configure SSO using either the W&B Server UI or by passing environment variables to the wandb/local pod. The environment variables take precedence over UI.

info

If you're unable to log in to your instance after configuring SSO, you can restart the instance with the LOCAL_RESTORE=true environment variable set. This outputs a temporary password to the containers logs and disables SSO. Once you've resolved any issues with SSO, you must remove that environment variable to enable SSO again.

The System Console is the successor to the System Settings page. It is available with the W&B Kubernetes Operator based deployment.

  1. Refer to Access the W&B Management Console.

  2. Navigate to Settings, then Authentication. Select OIDC in the Type dropdown.

  3. Enter the values.

  4. Click on Save.

  5. Log out and then log back in, this time using the IdP login screen.

info

If you're unable to log in to your instance after configuring SSO, you can restart the instance with the LOCAL_RESTORE=true environment variable set. This will output a temporary password to the containers logs and turn off SSO. Once you've resolved any issues with SSO, you must remove that environment variable to enable SSO again.

Security Assertion Markup Language (SAML)

W&B Server does not support SAML.

Was this page helpful?👍👎