Skip to main content
W&B Server’s support for OpenID Connect (OIDC) compatible identity providers allows for management of user identities and group memberships through external identity providers like Okta, Keycloak, Auth0, Google, and Entra.

OpenID Connect (OIDC)

W&B Server supports the following OIDC authentication flows for integrating with external Identity Providers (IdPs).
  1. Implicit Flow with Form Post
  2. Authorization Code Flow with Proof Key for Code Exchange (PKCE)
These flows authenticate users and provide W&B Server with the necessary identity information (in the form of ID tokens) to manage access control. The ID token is a JWT that contains the user’s identity information, such as their name, username, email, and group memberships. W&B Server uses this token to authenticate the user and map them to appropriate roles or groups in the system. In the context of W&B Server, access tokens authorize requests to APIs on behalf of the user, but since W&B Server’s primary concern is user authentication and identity, it only requires the ID token. You can use environment variables to configure IAM options for your Dedicated Cloud or Self-Managed instance. To assist with configuring Identity Providers for Dedicated Cloud or Self-Managed W&B Server installations, follow these guidelines to follow for various IdPs. If you’re using the SaaS version of W&B, reach out to support@wandb.com for assistance in configuring an Auth0 tenant for your organization.
  • Cognito
  • Okta
  • Entra
Follow the procedure below to set up AWS Cognito for authorization:
  1. First, sign in to your AWS account and navigate to the AWS Cognito App.
    AWS Cognito setup
  2. Provide an allowed callback URL to configure the application in your IdP:
    • Add http(s)://YOUR-W&B-HOST/oidc/callback as the callback URL. Replace YOUR-W&B-HOST with your W&B host path.
  3. If your IdP supports universal logout, set the Logout URL to http(s)://YOUR-W&B-HOST. Replace YOUR-W&B-HOST with your W&B host path. For example, if your application was running at https://wandb.mycompany.com, you would replace YOUR-W&B-HOST with wandb.mycompany.com. The image below demonstrates how to provide allowed callback and sign-out URLs in AWS Cognito.
    Host configuration
    wandb/local uses the implicit grant with the form_post response type by default. You can also configure wandb/local to perform an authorization_code grant that uses the PKCE Code Exchange flow.
  4. Select one or more OAuth grant types to configure how AWS Cognito delivers tokens to your app.
  5. W&B requires specific OpenID Connect (OIDC) scopes. Select the following from AWS Cognito App:
    • “openid”
    • “profile”
    • “email”
    For example, your AWS Cognito App UI should look similar to the following image:
    Required fields
    Select the Auth Method in the settings page or set the OIDC_AUTH_METHOD environment variable to tell wandb/local which grant to. You must set the Auth Method to pkce.
  6. You need a Client ID and the URL of your OIDC issuer. The OpenID discovery document must be available at $OIDC_ISSUER/.well-known/openid-configuration For example, , you can generate your issuer URL by appending your User Pool ID to the Cognito IdP URL from the App Integration tab within the User Pools section:
    AWS Cognito issuer URL
    Do not use the “Cognito domain” for the IDP URL. Cognito provides it’s discovery document at https://cognito-idp.$REGION.amazonaws.com/$USER_POOL_ID

Set up SSO on the W&B Server

To set up SSO, you need administrator privileges and the following information:
  • OIDC Client ID
  • OIDC Auth method (implicit or pkce)
  • OIDC Issuer URL
  • OIDC Client Secret (optional; depends on how you have setup your IdP)
If your IdP requires a OIDC Client Secret, specify it by passing the environment variables GORILLA_OIDC_SECRET.
  • In the UI, go to System Console > Settings > Advanced > User Spec and add GORILLA_OIDC_SECRET to the extraENV section as shown below.
  • In Helm, configure values.global.extraEnv as shown below.
values:
  global:
    extraEnv:
      GORILLA_OIDC_SECRET="<your_secret>"
If you’re unable to log in to your instance after configuring SSO, you can restart the instance with the LOCAL_RESTORE=true environment variable set. This outputs a temporary password to the containers logs and disables SSO. Once you’ve resolved any issues with SSO, you must remove that environment variable to enable SSO again.
  • System Console
  • System settings
The System Console is the successor to the System Settings page. It is available with the W&B Kubernetes Operator based deployment.
  1. Refer to Access the W&B Management Console.
  2. Navigate to Settings, then Authentication. Select OIDC in the Type dropdown.
    System Console OIDC configuration
  3. Enter the values.
  4. Click on Save.
  5. Log out and then log back in, this time using the IdP login screen.

Find your customer namespace

Before you can configure team-level BYOB with CoreWeave storage on W&B Dedicated Cloud or Self-Managed, you need to obtain your organization’s Customer Namespace. You can view and copy it from the bottom of the Authentication tab.For detailed instructions on configuring CoreWeave storage with your Customer Namespace, see CoreWeave requirements for Dedicated Cloud / Self-Managed.
If you’re unable to log in to your instance after configuring SSO, you can restart the instance with the LOCAL_RESTORE=true environment variable set. This outputs a temporary password to the containers logs and turn off SSO. Once you’ve resolved any issues with SSO, you must remove that environment variable to enable SSO again.

Security Assertion Markup Language (SAML)

W&B Server does not support SAML.
I