ãã®ãã¥ãŒããªã¢ã«ã¯ã³ãã¥ããã£ã®è²¢ç®ã«ããæäŸãããŠãããOpen WebUIããŒã ã«ãããµããŒãã¯ãããŸããããã®ãã¥ãŒããªã¢ã«ã¯ãOpen WebUIãç¹å®ã®å©çšã±ãŒã¹ã«ã«ã¹ã¿ãã€ãºããæ¹æ³ã瀺ããã¢ãšããŠæäŸãããŠããŸããè²¢ç®ãããå Žåã¯ãè²¢ç®ãã¥ãŒããªã¢ã«ããã§ãã¯ããŠãã ããã
ð Okta OIDC SSO çµ±å
æŠèŠâ
ãã®ããã¥ã¡ã³ãããŒãžã§ã¯ãOkta OIDC ã·ã³ã°ã«ãµã€ã³ãªã³ (SSO) ãš Open WebUI ãçµ±åããããã«å¿
èŠãªæé ã説æããŸãããŸããOkta ã°ã«ãŒãã¡ã³ããŒã·ããã«åºã¥ã Open WebUI ãŠãŒã¶ãŒã°ã«ãŒã管çã®ãªãã·ã§ã³æ©èœããžã£ã¹ãã€ã³ã¿ã€ã (JIT) ã°ã«ãŒãçæãå«ãæ¹æ³ã«ã€ããŠã説æããŸãããããã®æé ã«åŸãããšã§ããŠãŒã¶ãŒã¯ Okta è³æ Œæ
å ±ã䜿çšã㊠Open WebUI ã«ãã°ã€ã³ã§ããããã«ãªããŸããã°ã«ãŒãåæ (ENABLE_OAUTH_GROUP_MANAGEMENT
) ãæå¹ã«ããå Žåãåãã°ã€ã³æã« Okta ã®ã°ã«ãŒãã«åºã¥ã㊠Open WebUI å
ã®é¢ é£ã°ã«ãŒãã«ãŠãŒã¶ãŒãèªåçã«å²ãåœãŠãããŸãããŸããJIT ã°ã«ãŒãçæ (ENABLE_OAUTH_GROUP_CREATION
) ãæå¹ã«ãããšããã°ã€ã³æã« Okta ã®è«æ±ã«ååšããã Open WebUI ã«ååšããªãã°ã«ãŒããèªåçã«äœæãããŸãã
åææ¡ä»¶â
- æ°èŠãŸãã¯æ¢åã® Open WebUI ã€ã³ã¹ã¿ã³ã¹ã
- ã¢ããªã±ãŒã·ã§ã³ãäœæããã³æ§æããç®¡çæš©éãæã€ Okta ã¢ã«ãŠã³ãã
- OIDCãOkta ã¢ããªã±ãŒã·ã§ã³æ§æãããã³ Open WebUI ç°å¢å€æ°ã®åºæ¬çãªçè§£ã
Okta ã®ã»ããã¢ããâ
ãŸããOkta çµç¹å ã§ OIDC ã¢ããªã±ãŒã·ã§ã³ãæ§æããã°ã«ãŒãæ å ±ã Open WebUI ã«æž¡ãã°ã«ãŒãè«æ±ãèšå®ããå¿ èŠããããŸãã
1. Okta ã§ OIDC ã¢ããªã±ãŒã·ã§ã³ãäœæ/æ§æâ
- Okta 管çã³ã³ãœãŒã«ã«ãã°ã€ã³ããŸãã
- Applications > Applications ã«ç§»åããŸãã
- æ°ãã OIDC - OpenID Connect ã¢ããªã±ãŒã·ã§ã³ãäœæããïŒWeb Application ãã¿ã€ããšããŠéžæïŒ ããŸã㯠Open WebUI ã«äœ¿çšãããæ¢åã®ã¢ããªã±ãŒã·ã§ã³ãéžæããŸãã
- èšå®äžãŸãã¯ã¢ããªã±ãŒã·ã§ã³ã® General èšå®ã¿ãã§ãSign-in redirect URIs ãæ§æããŸããOpen WebUI ã€ã³ã¹ã¿ã³ã¹ã® URI ã®åŸã«
/oauth/oidc/callback
ã远å ããŸããäŸ:https://your-open-webui.com/oauth/oidc/callback
ã - ã¢ããªã±ãŒã·ã§ã³ã® General ã¿ãã§æäŸããã Client ID ãš Client secret ãã¡ã¢ããŸããããã㯠Open WebUI ã®èšå®ã§å¿ èŠã«ãªããŸãã
- Assignments ã¿ãã§ããã®ã¢ããªã±ãŒã·ã§ã³ã«å²ãåœãŠãæ£ãããŠãŒã¶ãŒãŸãã¯ã°ã«ãŒãã確ä¿ããŸãã
2. ID ããŒã¯ã³ã«ã°ã«ãŒãè«æ±ã远å â
(ãªãã·ã§ã³) Okta ã®ã°ã«ãŒãã«åºã¥ã㊠Open WebUI ã§èªåã°ã«ãŒã管çãæå¹ã«ããããã«ãOkta ãæ§æã㊠ID ããŒã¯ã³å ã§ãŠãŒã¶ãŒã®ã°ã«ãŒãã¡ã³ããŒã·ãããéä¿¡ããå¿ èŠããããŸããSSO ãã°ã€ã³ã®ã¿ãå¿ èŠã§ãOpen WebUI å ã§ã°ã«ãŒããæåã§ç®¡çããæ¹ãè¯ãå Žåããã®ã»ã¯ã·ã§ã³ãã¹ãããã§ããŸãã
- 管çã³ã³ãœãŒã«ã§ Applications > Applications ã«ç§»åããOIDC ã¯ã©ã€ã¢ã³ãã¢ããªãéžæããŸãã
- Sign On ã¿ãã«ç§»åããOpenID Connect ID Token ã»ã¯ã·ã§ã³ã§ Edit ãã¯ãªãã¯ããŸãã
- Group claim type ã»ã¯ã·ã§ã³ã§ Filter ãéžæããŸãã
- Group claims filter ã»ã¯ã·ã§ã³ã§:
- è«æ±åãšããŠ
groups
ãå ¥åããŸãïŒæ¢å®å€ãããå Žåã¯ããã䜿çšïŒã - ããããããŠã³ãã Matches regex ãéžæããŸãã
- æ£èŠè¡šçŸãã£ãŒã«ãã«
.*
ãå ¥åããŸããããã«ããããŠãŒã¶ãŒãæå±ããŠãããã¹ãŠã®ã°ã«ãŒããå«ãŸããŸããå¿ èŠã«å¿ããŠãããå ·äœçãªæ£èŠè¡šçŸã䜿çšããããšãã§ããŸãã
- è«æ±åãšããŠ
- Save ãã¯ãªãã¯ããŸãã
- Back to applications ãªã³ã¯ãã¯ãªãã¯ããŸãã
- ã¢ããªã±ãŒã·ã§ã³ã® More ãã¿ã³ã®ããããããŠã³ã¡ãã¥ãŒãã Refresh Application Data ãã¯ãªãã¯ããŸãã
ããé«åºŠãªã°ã«ãŒãè«æ±æ§æã«ã€ããŠã¯ãOkta ã®ããŒã¯ã³ã®ã«ã¹ã¿ãã€ãºããã³ã°ã«ãŒã颿°ã«é¢ããããã¥ã¡ã³ããåç §ããŠãã ããã
Open WebUI ã®æ§æâ
Open WebUI ã§ Okta OIDC SSO ãæå¹ã«ããã«ã¯ã次ã®åºæ¬çãªç°å¢å€æ°ãèšå®ããå¿ èŠããããŸãããªãã·ã§ã³ã®ã°ã«ãŒãç®¡çæ©èœãæå¹ã«ããå Žåã¯è¿œå ã®å€æ°ãå¿ èŠã§ãã
# --- OIDC ã³ã¢èšå® ---
# Okta ãä»ããŠãŠãŒã¶ãŒãã¢ã«ãŠã³ããäœæã§ããããã«ããå Žåã¯ãOAuth ãµã€ã³ã¢ãããæå¹ã«ããŸã
# ENABLE_OAUTH_SIGNUP="true"
# Okta ã¢ããªã±ãŒã·ã§ã³ã® Client ID
OAUTH_CLIENT_ID="YOUR_OKTA_CLIENT_ID"
# Okta ã¢ããªã±ãŒã·ã§ã³ã® Client Secret
OAUTH_CLIENT_SECRET="YOUR_OKTA_CLIENT_SECRET"
# Okta çµç¹ã® OIDC ãã£ã¹ã«ããªãŒ URL
# ãã©ãŒããã: https://<your-okta-domain>/.well-known/openid-configuration
# ãŸãã¯ç¹å®ã®èªèšŒãµãŒããŒã®å Žå: https://<your-okta-domain>/oauth2/<auth-server-id>/.well-known/openid-configuration
OPENID_PROVIDER_URL="YOUR_OKTA_OIDC_DISCOVERY_URL"
# ãã°ã€ã³ãã¿ã³ã«è¡šç€ºãããååïŒäŸ: "Login with Okta"ïŒ
OAUTH_PROVIDER_NAME="Okta"
# èŠæ±ããã¹ã³ãŒãïŒæ¢å®ã§ã¯éåžžååã§ãïŒ
# OAUTH_SCOPES="openid email profile groups" # æ¢å®å€ã§ãªãå Žå㯠groups ãå«ããããš
# --- OAuth ã°ã«ãŒã管çïŒãªãã·ã§ã³ïŒ ---
# ã°ã«ãŒãè«æ±ã Okta ã«æ§æããå Žåã®ã¿ "true" ã«èšå®ããŸã (ã¹ããã 2)
# ãããŠããã°ã€ã³æã«Oktaã°ã«ãŒãã«åºã¥ããŠOpen WebUIã°ã«ãŒãã管çãããããšãæãå Žåã
# ããã«ããæ¢åã®ã°ã«ãŒããåæãããŸãããŠãŒã¶ãŒã¯Open WebUIã°ã«ãŒãã«è¿œå /åé€ããã
# 圌ãã®Oktaã°ã«ãŒãã¯ã¬ãŒã ã«äžèŽããããã«ãªããŸãã
# ENABLE_OAUTH_GROUP_MANAGEMENT="true"
# ENABLE_OAUTH_GROUP_MANAGEMENT ã true ã®å Žåã®ã¿å¿
èŠã§ãã
# ã°ã«ãŒãæ
å ±ãå«ãIDããŒã¯ã³å
ã®ã¯ã¬ãŒã å (Oktaèšå®ãšäžèŽããå¿
èŠããããŸã)
# OAUTH_GROUP_CLAIM="groups"
# ãªãã·ã§ã³: Oktaã®ã¯ã¬ãŒã ã«ååšãããOpen WebUIã«ååšããªãã°ã«ãŒããå³æäœæïŒJust-in-Time, JITïŒã§äœæãæå¹ã«ããã
# ENABLE_OAUTH_GROUP_MANAGEMENT="true" ãå¿
èŠã§ãã
# falseïŒããã©ã«ãïŒã«èšå®ãããšãæ¢åã®ã°ã«ãŒãã®ã¿ãåæãããŸãã
# ENABLE_OAUTH_GROUP_CREATION="false"
YOUR_OKTA_CLIENT_ID
ãYOUR_OKTA_CLIENT_SECRET
ãããã³ YOUR_OKTA_OIDC_DISCOVERY_URL
ãOktaã¢ããªã±ãŒã·ã§ã³èšå®ããååŸããå®éã®å€ã«çœ®ãæããŠãã ããã
Oktaã¯ã¬ãŒã ã«åºã¥ããã°ã«ãŒãåæãæå¹ã«ããã«ã¯ãENABLE_OAUTH_GROUP_MANAGEMENT="true"
ãèšå®ããOAUTH_GROUP_CLAIM
ãOktaã§èšå®ãããã¯ã¬ãŒã åãšäžèŽããããšã確èªããŸãïŒããã©ã«ã㯠groups
ã§ãïŒã
Oktaã«ååšããOpen WebUIã«ãŸã ååšããªãã°ã«ãŒããèªåã§å³æäœæïŒJITïŒããã«ã¯ãENABLE_OAUTH_GROUP_CREATION="true"
ãèšå®ããŸããæ¢åã®Open WebUIã°ã«ãŒãã®ã¡ã³ããŒã·ããã®ã¿ã管çãããå Žåã¯ããã®èšå®ã false
ã®ãŸãŸã«ããŠããããšãã§ããŸãã
ENABLE_OAUTH_GROUP_MANAGEMENT
ã true
ã«èšå®ããããšãOpen WebUIå
ã®ãŠãŒã¶ãŒã®ã°ã«ãŒãã¡ã³ããŒã·ãã㯠ãOktaã¯ã¬ãŒã ã§åãåã£ãã°ã«ãŒããšå³å¯ã«åæãããŸããã€ãŸã:
- ãŠãŒã¶ãŒã¯Oktaã¯ã¬ãŒã ã«äžèŽããOpen WebUIã°ã«ãŒãã«è¿œå ãããŸãã
- Oktaã¯ã¬ãŒã ã«ååšããªãã°ã«ãŒãã«ã€ããŠã¯ãOpen WebUIå ã®ãããªãã°ã«ãŒããããïŒæåäœæãŸãã¯Open WebUIå ã§å²ãåœãŠãã°ã«ãŒããå«ããŠïŒåé€ãããŸãã
å¿ èŠãªãã¹ãŠã®ã°ã«ãŒããOktaå ã§æ£ããèšå®ãããã°ã«ãŒãã¯ã¬ãŒã ã«å«ãŸããŠããããšã確èªããŠãã ããã
Open WebUIãè€æ°ããŒãïŒäŸ: Kubernetesã¯ã©ã¹ã¿ãŸãã¯ããŒããã©ã³ãµçµç±ïŒã«ãããã€ããéãç¹ã«SSOã®å ŽåããŠãŒã¶ãŒäœéšã®ã·ãŒã ã¬ã¹ãã確ä¿ããããã«ã»ãã·ã§ã³ã®æ°žç¶æ§ãéèŠã§ããWEBUI_SECRET_KEY
ç°å¢å€æ°ããã¹ãŠã® Open WebUIã€ã³ã¹ã¿ã³ã¹ã§åäžã®å®å
šãã€ãŠããŒã¯ãªå€ã«èšå®ããŠãã ããã
# äŸ: 匷åãªç§å¯ããŒãçæ (äŸ: openssl rand -hex 32 ã䜿çšããŠ)
WEBUI_SECRET_KEY="YOUR_UNIQUE_AND_SECURE_SECRET_KEY"
ãã®ããŒããã¹ãŠã®ããŒãã§äžè²«ããŠããªãå Žåãã»ãã·ã§ã³ããŒã¯ã³ãä»ã®ããŒãã§æå¹ã«ãªããªããããç°ãªãããŒãã«ã«ãŒãã£ã³ã°ãããå Žåã«ãŠãŒã¶ãŒã¯ãã°ã€ã³ãååºŠèŠæ±ãããå¯èœæ§ããããŸããããã©ã«ãã§ã¯ãDockerã€ã¡ãŒãžã¯ååã¹ã¿ãŒãæã«ã©ã³ãã ããŒãçæããŸãããããã¯ãã«ãããŒãèšå®ã«ã¯é©ããŠããŸããã
OktaïŒããã³æœåšçã«ã¯ä»ã®èšå®ãããOAuthãããã€ããŒïŒã䜿çšãããã°ã€ã³ã®ã¿ãèš±å¯ããå Žåã以äžã®ç°å¢å€æ°ãèšå®ããããšã§æšæºã®ã¡ãŒã«/ãã¹ã¯ãŒããã°ã€ã³ãã©ãŒã ãç¡å¹ã«ã§ããŸã:
ENABLE_LOGIN_FORM="false"