Authentication & SSO
By default, Langfuse supports email/password and social logins (Sign in with Google, GitHub, Microsoft).
For increased security, you can also configure Enterprise SSO (e.g. Okta, Authentik, GitHub Enterprise, OneLogin, Azure AD, Keycloak, JumpCloud etc.) via OIDC.
For more details on authorization, please refer to the RBAC docs.
For self-hosted instances, please refer to the Self-hosted Authentication and SSO guide.
Email/Password authentication
By default, Langfuse uses email and password authentication. Langfuse enforces standard password complexity requirements.
If you signed up with a social login, you can add a password via the "reset password" link in the login page.
Social Logins
For simplified access, users can sign in using their existing social accounts:
- GitHub
- Azure AD (Entra ID)
For security reasons, Langfuse does not support switching between social logins or signing up with a social login after signing up with email/password.
Enterprise SSO & SSO Enforcement
- Hobby(Not Available)
- Core(Not Available)
- Pro(Teams Add-on required)(Team)
- Enterprise
- Self Hosted
Langfuse supports Enterprise SSO (e.g. Okta, Authentik, OneLogin, Azure AD, Keycloak, WorkOS, JumpCloud etc.) via OIDC.
Langfuse supports multiple domains per customer organization, but each domain must be exclusively owned by your organization. Shared domains (e.g., from subcontractors or consultancies) are not supported.
Details:
- Migration: Existing users who signed up with an email/password or social logins are automatically migrated to the Enterprise SSO provider once it is set up.
- Authorization: Enterprise SSO does not automatically provision roles for new users upon signup. Users must be invited to an organization, either through the UI (settings > members) or the SCIM API.
- Signing in: To sign in with an Enterprise SSO provider, please (1) enter your email address, and (2) press "Continue". You will be redirected to the Enterprise SSO provider to authenticate.
Langfuse supports authentication via OIDC only. SAML is not supported.
Configure Enterprise SSO on Langfuse Cloud
Organization admins can configure Enterprise SSO directly in Organization Settings > SSO.
1) Verify Domain
- Navigate to Organization Settings > SSO.
- In the Verify Domain section, click Add Domain and enter the domain you want to verify.
- Copy the DNS TXT record provided by Langfuse into your DNS provider.
- Wait for DNS propagation, then click Verify to verify the domain.
Domain verification is required before SSO can be configured. This ensures only organizations that control a domain can configure SSO for it.
If verification fails, confirm the record name/value match exactly, remove surrounding quotes, and re-check after propagation. Many DNS providers take a few minutes, but it can take up to 24 hours.
2) Configure SSO
- In the SSO Configuration section, click Configure SSO next to the verified domain you want to set up.
- Copy the callback URL provided by Langfuse and whitelist it in your IdP application's redirect/callback URL allowlist.
- Enter the issuer URL, client ID, and client secret from your IdP, then save the configuration.
- Test sign-in with a user from the verified domain.
GitHub and GitHub Enterprise do not expose a standard OIDC discovery endpoint. Langfuse cannot pre-validate these issuer URLs during setup. Double-check the issuer and callback URL allowlist in your IdP, then run a test login immediately after saving to catch mistakes before rollout.
Vendor Guides
Okta
Step 1: Create an OIDC Application in Okta
- Log in to the Okta Admin Console
- Navigate to Applications > Applications
- Click Create App Integration
- Select OIDC - OpenID Connect as the Sign-in method
- Select Web Application as the Application type
- Click Next
Step 2: Configure the Application
- Enter an App integration name (e.g., "Langfuse")
- Set the Sign-in redirect URI to:
https://<langfuse-url>/api/auth/callback/<domain>.oktaExample:https://cloud.langfuse.com/api/auth/callback/example.com.okta - (Optional) Set a Sign-out redirect URI if needed
- (Scopes) Scopes are not used by Langfuse during authentication
- Under Assignments, choose how to assign users
- Click Save
Step 3: Retrieve Credentials
- On the application's General tab, copy the Client ID and Client Secret
- Note your Okta Issuer URL (e.g.,
https://example.okta.com)
Step 4: Verify Your Domain in Langfuse
- In Langfuse, open Organization Settings > SSO
- In the Verify Domain section, click Add Domain and enter the domain that should use Okta
- Copy the DNS TXT record provided by Langfuse into your DNS provider
- Wait for DNS propagation, then click Verify in Langfuse
Step 5: Configure SSO in Langfuse
- In Organization Settings > SSO, find your verified domain in the SSO Configuration section
- Click Configure SSO
- Select Okta as provider
- Copy the callback URL shown by Langfuse and add it to Okta's Sign-in redirect URIs allowlist
- Enter the Issuer URL, Client ID, and Client Secret
- Save the configuration
Step 6: Assign Users
- In Okta, go to your Langfuse application's Assignments tab
- Assign users or groups who should have access to Langfuse
IdP-Initiated SSO
Langfuse supports IdP-initiated SSO (Identity Provider-initiated Single Sign-On), where users can start the SSO flow directly from Okta instead of starting from Langfuse.
Example of IdP-initiated SSO authentication flow (Okta):
To enable IdP-initiated SSO, configure Okta to redirect users to:
https://cloud.langfuse.com/auth/sso-initiate?provider=<PROVIDER>- Replace
<PROVIDER>with the last part of your callback URL, e.g.example.com.okta. - Use the
Redirect to app to initiate login (OIDC Compliant)option in Okta's settings.
User Provisioning with SCIM
For automated user provisioning, see the Okta SCIM Setup Guide.
Related Resources
- SCIM & Organization API to automate user provisioning, role assignments, and project setup after configuring SSO
