How to set up SSO login correctly?

I am currently using enterprise trail license to test SSO login compatibility with lark suite. I set up wandb like this:

the first problem is I can’t find SSO login entry but I temporarily handle this by constructing login url directly. But when I logged in with SSO (I got something like https://myhost/oidc/callback?code=3b7cQMjiRxppSEoPeambUdVP0l2VC_bDulCAj-LbJ2Y.ID3j8_Z-WzGOcJcEFnKrLjJllbd1CjcQaX8y7DQMqEc&scope=openid+profile+email&state=), I always get 302 to https://myhost/login?error=access_denied&error_description=Unknown+authentication+failure which tell me We're sorry, but there was a problem authenticating your account: Unknown authentication failure.
I tried to figure out what is going on by capturing packets from backend to mysql, and it seems that nothing related to user info is transported, which means oidc login is probably not working.
So how can I fix this problem? Appreciate for any help.

I construct sso login url like this:

https://anycross.feishu.cn/sso/{lark_sso_app_id}/oidc/auth?response_type=code&client_id={oidc_client_id}&scope=openid%20profile%20email&redirect_uri=https://myhost/oidc/callback

I think this should not be the problem since I can get redirected to /oidc/callback.

Hi @ayf19 thank you for reporting this issue. Are you using Okta or AWS as identity provider? We have some detailed instructions in our Docs page here: Single Sign-On (SSO) setup | Weights & Biases Documentation Have you followed the same steps as well? can you please confirm the grant type that you’ve configured?

Hello, thanos, thanks for help.

I have read the SSO setup doc and I think I have correctly do as it says, just as the picture posted above. I am using lark suite as identity provider, but I also tested Okta and nothing seems different. The only grant type supported by lark suite is using authorization_code and refresh_token, implicit is not supported. It seems that login with my current OIDC provider will use OIDC client secret which is not configured in wandb, does this mean wandb have not yet supported this?

I’m not sure if I understand this correctly, but it seems that wandb doesn’t contain a page with SSO login button, and users can only get access to this application by clicking the entry in somewhere like Okta apps page. If this is not correct, I wonder where can I find the SSO login button.

Hi @ayf19 we don’t have a guide for Lark suite, but since you have Okta - could you please try the following steps and let me know if that worked for you?

The first step is to create an Okta App Integration following the steps described.

1. Click Create App Integration and select:

   • OIDC - OpenID Connect
   • Single-Page Application

2. In the New Single-Application App integration, fill in the following data:

   • App integration name: W&B
   • Grant type, check:
     • Authorization Code
     • Implicit (hybrid)
   • Sign-in redirect URIs: [https://your-host.wandb.ml/oidc/callback]
   • Sign-out redirect URIs: [https://your-host.wandb.ml/logout]
   • Assignments: Configure according to your needs.

3. After configuration, copy the Client ID and the Issuer URL. Usually, the Issuer URL will be https://.okta.com.

Once you have the Client ID and Issuer URL, the next step is to enable and configure the SSO in W&B.

• Access the system admin page: [https://your-host.wandb.ml/system-admin/]
• Switch the SSO on and fill in the fields OIDC Client ID and OIDC Issuer
• At the bottom of the page, click Update settings

Could you please provide more information regarding the page with SSO login button ? Do you mean the <host-url>/login page?

Thanks for help. Here is my configuration:

This will be accepted by wandb but I don’t know what’s next to login with okta. The page with SSO login button I mentioned is something like https://wandb.auth0.com/login so I can click login with okta. The <host-url>/login page requires username and password to login, rather than SSO login.

Hi @ayf19 will it still require username/password after logging out? are you using Docker or Terraform to deploy the W&B instance? would it be possible to re-deploy it after it seems you’ve configured all the SSO settings?

Yes, I was asked to login with username/password after logging out or access in private tab. I am using Docker to deploy W&B and restarting the container will not help.

Would it be possible to click on system settings, and then export the debug bundle from top-right icon? Can you please share the zip folder (you can email support@wandb.com and refer to ticket #60464). We will then review this for any misconfiguration and will get back to you.

sure, already sent that from me@anyi.fan

Hi @ayf19 thank you for sending the Debug Bundle, we’ve received and we will review with our Solutions Architect team and get back to you here.

Hi @ayf19 after discussing it with our Solutions Architect team there are few recommendations that will help our troubleshooting.

1. The redirect uri should be:

https://YOUR-W&B-HOST:8080/oidc/callback

2. The logout URI should be:

https://YOUR-W&B-HOST/logout

3. Once that is configured in the Single Page Application (in Okta), the client id will need to be set.

4. The OIDC issuer of:

https://trial-4220671.okta.com

looks correct, while the one configured earlier shouldn’t work:

https://anycross.feishu.cn/sso/{lark_sso_app_id}/oidc/auth?response_type=code&client_id={oidc_client_id}&scope=openid%20profile%20email&redirect_uri=https://myhost/oidc/callback

5. If you’re using lark, it should provide you with the issuer url. We need the id_token enabled:
   https://www.larksuite.com/hc/en-US/articles/505701838399-configure-an-organization-s-identity-provider-organization-sso#tabs0%7Clineguid-3K4sI

6. May I please ask why you’re mentioning:

https://wandb.auth0.com/login

this isn’t relevant for W&B Server and it has to do with our SaaS auth0 integration.

7. It would help to know how you’re starting your W&B Server.If you’re using a Docker run command can you please let us know the syntax?

8. You may not be able to setup authorization_code and refresh_token if you’re simply running wandb server start. In that case you will have to export the following environment variables:

OIDC_ISSUER
OIDC_CLIENT_ID
OIDC_AUTH_METHOD
OIDC_SECRET

Here’s a Docker run command for your reference that you may find useful:
https://docs.wandb.ai/guides/hosting/how-to-guides/bare-metal#docker-deployment

@ayf19 please note that we strongly recommend to use the documented way to setup SSO with Okta here. Another issue that showed up in Debug Bundle, but might not be directly related with SSO has to do with the max user processes. You may want to consider checking how many you’ve configured in your Docker daemon’s settings and increase that with ulimit -a

runtime: failed to create new OS thread (have 8772 already; errno=11)
runtime: may need to increase max user processes (ulimit -u)
fatal error: newosproc

Thank you thanos, I finally solve my problem. It turns out that wandb document forgot to mention OIDC_SECRET environment which is necessary for SSO login, with out which wandb won’t redirect to SSO login on clicking Login button. That’s why I mentioned wandb.auth0.com. I thought their should be a page for user to choose from simple login or SSO login.

After setting OIDC_SECRET environment and restart the server, I can get redirected to SSO login. However, since I can’t find Okta’s oidc secret, I tried to use lark suite like this:

sudo docker run -itd \
  -e HOST=https://localhost:10087 \
  -e LICENSE=xxx \
  -e OIDC_ISSUER=https://anycross.feishu.cn/sso/{app_id} \
  -e OIDC_CLIENT_ID={client_id} \
  -e OIDC_AUTH_METHOD=pkce \
  -e OIDC_SECRET={client_secret} \
  -p 8900:8080 \
  --name wandb-local \
  wandb/local

I can login to lark suite and get redirect back to somewhere like https://localhost:10087/oidc/callback?code=5q4yYL71wrzxHxTnB9si9lhchA3i4NGE7aOvXI30ei4.mom6ZxjNWNdctNddkFRV4bc7vNIdk7mA7wl_Ih8Gbm0&scope=openid+profile+email&state=Mmh2TldnY2Q3ajJkWEhDUA%3D%3D, but wandb failed to finish login and reported this:

We’re sorry, but there was a problem authenticating your account: Invalid PKCE code exchange: authentication error: invalid_request, description: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Only support one client credential way.

I guess this is about my SSO provider settings (especially the return_type), but I am not sure what wandb wants. Here is my SSO provider configuration:

Translate this into English:

# tip: The default login protocol used when accessing the authentication address directly. If implicit
# is turned on, make sure the callback addresses are all HTTPS protocols!
grant_type: authorization_code, refresh_token

scope: openid, profile, email

# tip: Configure the data items that lark supports to return from the authorization endpoint,
# code for support to return authorization code, token for support to return Access Token, id_token
# for support to return ID Token. if you don't actively ask lark for it when you initiate a request,
# lark won't proactively return the corresponding data
# 
# there is only one choice, perhaps lark's SSO provider is imperfect and incompatible with wandb?
return_type: code

# tip: choosing HS256 needs to verify the signature with App Secret, while RS256 needs to verify
# with public key, the public key is obtained from `JWKS public key entpoint`
ID_Token_Signature_Algorithm: HS256

# tip: When turned on, lark will return encrypted ID Token, you need to decrypt the ID Token with
# your private key before verifying its signature. Note that turning this option on or off may
# require modifying the current application logic for obtaining and parsing ID Token.
encrypt_ID_Token: false

aquire_Token_authentication_method: client_secret_post

Can you please help confirm if this SSO provider is compatible with wandb local?

Thanks for all your help and it would be great if you update the document and add OIDC_SECRET in https://docs.wandb.ai/guides/hosting/env-vars and https://docs.wandb.ai/guides/hosting/sso

I have figured out this. SSO provider in lark suite is broken, I use Keycloak SSO provider and it works. Thank you.

Hi @ayf19, that’s great news ! Thank you for the update, and I’m glad to hear you’ve sorted this out! We also appreciate the feedback on our Docs page. I’ll file a documentation update ticket internally to include OIDC_SECRET in the mentioned pages. I’m marking this ticket as closed for now, but feel free to reach out if you have any other questions or issues. Just a heads-up, you’re currently on a trial license. If you’re thinking about upgrading to a paid license, don’t hesitate to give us a shout.