Skip to main content

SSO using OIDC

Email contact@wandb.com to configure an Auth0 tenant for you with identity providers supported by W&B (such as SAML, Ping Federate, Active Directory, and more).

If you already use Auth0 or have an Open ID Connect compatible server, follow the instructions below to set up authorization with Open ID.

info

W&B Server operates with manual user management by default. Licensed versions of wandb/local also unlock SSO.

Open ID Connectโ€‹

wandb/local uses Open ID Connect (OIDC) for authentication. Based on your use case, select one of the tabs to learn how to set up AWS Cognito or Okta authenticate W&B Server with Open ID Connect.

tip

Select either a Single Page or Public Client application in your identity provider (IdP).

Follow the procedure below to set up AWS Cognito for authorization:

  1. First, sign in to your AWS account and navigate to the AWS Cognito App.

Because we're only using OIDC for authentication and not authorization, public clients simplify setup

  1. Provide an allowed callback URL to configure the application in your IdP:

    • Add http(s)://YOUR-W&B-HOST/oidc/callback as the callback URL. Replace YOUR-W&B-HOST with your W&B host path.
  2. If your IdP supports universal logout, set the Logout URL to http(s)://YOUR-W&B-HOST. Replace YOUR-W&B-HOST with your W&B host path.

For example, if your application was running at https://wandb.mycompany.com, you would replace YOUR-W&B-HOST with wandb.mycompany.com.

The image below demonstrates how to provide allowed callback and sign-out URLs in AWS Cognito.

If your instance is accessible from multiple hosts, be sure to include all of them here.

wandb/local uses the "implicit" grant with the "form_post" response type by default.

You can also configure wandb/local to perform an "authorization_code" grant that uses the PKCE Code Exchange flow.

  1. Select one or more OAuth grant types to configure how AWS Cognito will deliver tokens to your app.
  2. W&B requires specific OpenID Connect (OIDC) scopes. Select the following from AWS Cognito App:
    • "openid"
    • "profile"
    • "email"

For example, your AWS Cognito App UI should look similar to the following image:

openid, profile, and email are required

Select the Auth Method in the settings page or set the OIDC_AUTH_METHOD environment variable to tell wandb/local which grant to.

info

For AWS Cognito providers you must set the Auth Method to "pkce"

  1. You need a Client ID and the URL of your OIDC issuer. The OpenID discovery document must be available at $OIDC_ISSUER/.well-known/openid-configuration

For example, with AWS Cognito, you can generate your issuer URL by appending your User Pool ID to the Cognito IdP URL from the App Integration tab within the User Pools section:

The issuer URL would be https://cognito-idp.us-east-1.amazonaws.com/us-east-1_uiIFNdacd

info

Do not use the "Cognito domain" for the IDP url. Cognito provides it's discovery document at https://cognito-idp.$REGION.amazonaws.com/$USER_POOL_ID

Configure SSO on the W&B Appโ€‹

Once you have everything configured you can provide the Issuer, Client ID, and Auth method to wandb/local on the W&B App or set environment variables. The following procedure walks you through the steps to configure SSO with the W&B App UI:

  1. Sign in to your Weights and Biases server
  2. Navigate to the W&B App.

  1. From the dropdown, select System Settings:

  1. Enter your Issuer, Client ID, and Authentication Method.
  2. Select Update settings.

info

If you're unable to log in to your instance after configuring SSO, you can restart the instance with the LOCAL_RESTORE=true environment variable set. This will output a temporary password to the containers logs and disable SSO. Once you've resolved any issues with SSO, you must remove that environment variable to enable SSO again.

Was this page helpful?๐Ÿ‘๐Ÿ‘Ž