Okta Setup for OpenWebUI
Once configured, users can log in to Open WebUI through Okta SSO, and Keycloak will automatically assign admin or user roles based on Okta groups.
Step 1 — Sign in to Okta Admin Console
- Go to https://admin.okta.com
- Sign in with an account that has permissions to manage applications.
- Navigate to:
Applications → Applications → Create App Integration
Step 2 — Choose Integration Type
- Under Sign-in method, select:
SAML 2.0 - Click Next.
Step 3 — Configure the SAML Application
General Settings
| Field | Value |
|---|---|
| App name | Open WebUI (Arthur) |
| App logo | Optional |
| App visibility | Optional (leave defaults or restrict to specific groups) |
Click Next.
SAML Settings
| Field | Value |
|---|---|
| Single sign-on URL | https://{AUTH_BASE_URL}/realms/{REALM}/broker/okta/endpoint |
| Audience URI (SP Entity ID) | https://{AUTH_BASE_URL}/realms/{REALM} |
| Default RelayState | (leave blank) |
| Name ID format | EmailAddress |
| Application username | Email |
Replace {AUTH_BASE_URL} and {REALM} with your tenant’s values, for example:
https://auth-development.arthur.ai and openwebui.
Click Next.
Step 4 — Attribute Statements
Add the following attribute mappings:
| Name | Name format | Value |
|---|---|---|
email | Unspecified | user.email |
firstName | Unspecified | user.firstName |
lastName | Unspecified | user.lastName |
Groups | Unspecified | getFilteredGroups("openwebui-*") |
The getFilteredGroups function ensures that only Okta groups prefixed with openwebui- are sent in the SAML response.
You can modify this filter or remove it if you want all groups to be sent.
Click Next.
Step 5 — Feedback
Select the following options:
- “I’m an Okta customer adding an internal app”
- “This is an internal app that we created”
Click Finish.
Step 6 — Obtain Okta SAML Metadata
- Go to the new app’s Sign On tab.
- Click View SAML setup instructions.
- Copy the following values and provide them to your Arthur contact:
| Field | Description |
|---|---|
| Identity Provider Single Sign-On URL | Okta IdP login endpoint |
| Identity Provider Issuer | Okta Entity ID |
| X.509 Certificate | Public certificate used to sign SAML assertions |
Step 7 — Assign Users or Groups
- In Okta, go to the new app → Assignments tab.
- Click Assign → Assign to Groups.
- Assign the relevant groups:
openwebui-admins→ admin usersopenwebui-users→ standard users
If your organization uses different group names, provide them to Arthur so they can be mapped appropriately in Keycloak.
Step 8 — Send Information to Arthur (Keycloak Admin)
Send the following information to your Arthur contact or Keycloak administrator:
| Item | Description |
|---|---|
| Identity Provider Single Sign-On URL | From Step 6 |
| Identity Provider Issuer (Entity ID) | From Step 6 |
| X.509 Certificate | From Step 6 |
| Admin Group(s) | e.g., openwebui-admins |
| User Group(s) | e.g., openwebui-users |
Arthur’s team will configure these in Keycloak to complete the connection.
Summary of Configuration (Okta Side)
| Step | Action |
|---|---|
| 1 | Create new SAML 2.0 App Integration |
| 2 | SSO URL → https://{AUTH_BASE_URL}/realms/{REALM}/broker/okta/endpoint |
| 3 | Audience URI → https://{AUTH_BASE_URL}/realms/{REALM} |
| 4 | NameID → EmailAddress |
| 5 | Attributes → email, firstName, lastName, Groups |
| 6 | Copy SSO URL, Issuer, and X.509 Certificate |
| 7 | Assign appropriate users and groups |
| 8 | Send SSO configuration details to Arthur for Keycloak mapping |
End Result
| Okta Group | Keycloak Role | Open WebUI Access |
|---|---|---|
openwebui-admins | admin | Full admin privileges |
openwebui-users | user | Standard user access |
Once configured, users log into Open WebUI using their Okta credentials, and Keycloak automatically maps their group membership to the appropriate access level.
Updated 8 months ago