Okta Setup for OpenWebUI
This document explains how an Okta administrator can configure Okta as a SAML Identity Provider (IdP) for Arthur’s Keycloak, which brokers authentication into Open WebUI.
Once configured, users can log in to Open WebUI through Okta SSO, and Keycloak will automatically assign admin or user roles based on Okta groups.
Step 1 — Sign in to Okta Admin Console
- Go to https://admin.okta.com
- Sign in with an account that has permissions to manage applications.
- Navigate to:
Applications → Applications → Create App Integration
Step 2 — Choose Integration Type
- Under Sign-in method, select:
SAML 2.0 - Click Next.
Step 3 — Configure the SAML Application
General Settings
| Field | Value |
|---|---|
| App name | Open WebUI (Arthur) |
| App logo | Optional |
| App visibility | Optional (leave defaults or restrict to specific groups) |
Click Next.
SAML Settings
| Field | Value |
|---|---|
| Single sign-on URL | https://{AUTH_BASE_URL}/realms/{REALM}/broker/okta/endpoint |
| Audience URI (SP Entity ID) | https://{AUTH_BASE_URL}/realms/{REALM} |
| Default RelayState | (leave blank) |
| Name ID format | EmailAddress |
| Application username | Email |
Replace {AUTH_BASE_URL} and {REALM} with your tenant’s values, for example:
https://auth-development.arthur.ai and openwebui.
Click Next.
Step 4 — Attribute Statements
Add the following attribute mappings:
| Name | Name format | Value |
|---|---|---|
email | Unspecified | user.email |
firstName | Unspecified | user.firstName |
lastName | Unspecified | user.lastName |
Groups | Unspecified | getFilteredGroups("openwebui-*") |
The getFilteredGroups function ensures that only Okta groups prefixed with openwebui- are sent in the SAML response.
You can modify this filter or remove it if you want all groups to be sent.
Click Next.
Step 5 — Feedback
Select the following options:
- “I’m an Okta customer adding an internal app”
- “This is an internal app that we created”
Click Finish.
Step 6 — Obtain Okta SAML Metadata
- Go to the new app’s Sign On tab.
- Click View SAML setup instructions.
- Copy the following values and provide them to your Arthur contact:
| Field | Description |
|---|---|
| Identity Provider Single Sign-On URL | Okta IdP login endpoint |
| Identity Provider Issuer | Okta Entity ID |
| X.509 Certificate | Public certificate used to sign SAML assertions |
Step 7 — Assign Users or Groups
- In Okta, go to the new app → Assignments tab.
- Click Assign → Assign to Groups.
- Assign the relevant groups:
openwebui-admins→ admin usersopenwebui-users→ standard users
If your organization uses different group names, provide them to Arthur so they can be mapped appropriately in Keycloak.
Step 8 — Send Information to Arthur (Keycloak Admin)
Send the following information to your Arthur contact or Keycloak administrator:
| Item | Description |
|---|---|
| Identity Provider Single Sign-On URL | From Step 6 |
| Identity Provider Issuer (Entity ID) | From Step 6 |
| X.509 Certificate | From Step 6 |
| Admin Group(s) | e.g., openwebui-admins |
| User Group(s) | e.g., openwebui-users |
Arthur’s team will configure these in Keycloak to complete the connection.
Summary of Configuration (Okta Side)
| Step | Action |
|---|---|
| 1 | Create new SAML 2.0 App Integration |
| 2 | SSO URL → https://{AUTH_BASE_URL}/realms/{REALM}/broker/okta/endpoint |
| 3 | Audience URI → https://{AUTH_BASE_URL}/realms/{REALM} |
| 4 | NameID → EmailAddress |
| 5 | Attributes → email, firstName, lastName, Groups |
| 6 | Copy SSO URL, Issuer, and X.509 Certificate |
| 7 | Assign appropriate users and groups |
| 8 | Send SSO configuration details to Arthur for Keycloak mapping |
End Result
| Okta Group | Keycloak Role | Open WebUI Access |
|---|---|---|
openwebui-admins | admin | Full admin privileges |
openwebui-users | user | Standard user access |
Once configured, users log into Open WebUI using their Okta credentials, and Keycloak automatically maps their group membership to the appropriate access level.
Updated about 6 hours ago