概述
使用客户端密钥(推荐)
默认情况下,LangSmith 自托管支持带有Client Secret 的 Authorization Code 流程。在此版本的流程中,您的客户端密钥安全地存储在 LangSmith 中(而不是前端),并用于身份验证和建立身份验证会话。
前提条件
- 您必须是自托管并处于企业计划中。
- 您的 IdP 必须支持带有
Client Secret的Authorization Code流程。 - 您的 IdP 必须支持使用外部发现/颁发者 URL。我们将使用它来获取 IdP 的必要路由和密钥。
- 您必须向 LangSmith 提供
OIDC、email和profile范围。我们使用这些来获取用户的必要用户信息和电子邮件。
LangSmith SSO 仅在
https 上受支持。配置
- 您需要在 IdP 中将回调 URL 设置为
https://<host>/api/v1/oauth/custom-oidc/callback,其中host是您为 LangSmith 实例配置的域或 IP。这是 IdP 在用户进行身份验证后将重定向用户的位置。 - 您需要在
values.yaml文件中提供oauthClientId、oauthClientSecret、hostname和oauthIssuerUrl。这是您将配置 LangSmith 实例的位置。 - 如果您尚未使用客户端密钥配置 Oauth,或者您只有个人组织,则必须提供一个电子邮件地址以分配为新配置的 SSO 组织的初始组织管理员。如果您从基本身份验证升级,则将重新使用您的现有组织。
会话长度控制
本节中的所有环境变量都适用于
platform-backend 服务,可以在 Helm 中使用 platformBackend.deployment.extraEnv 添加。- 默认情况下,会话长度由身份提供商返回的身份令牌的过期时间控制
- 大多数设置应使用刷新令牌来启用会话长度扩展,超过身份令牌过期时间直到
OAUTH_SESSION_MAX_SEC,这可能需要通过添加到oauthScopes(Helm)或OAUTH_SCOPES(Docker)来包含offline_access范围 OAUTH_SESSION_MAX_SEC(默认 1 天)可以被覆盖为最多一周(604800)- 对于不支持刷新令牌的身份提供商设置,设置
OAUTH_OVERRIDE_TOKEN_EXPIRY="true"将采用OAUTH_SESSION_MAX_SEC作为会话长度,忽略身份令牌过期时间
覆盖 Sub 声明
在某些情况下,可能需要覆盖从身份提供商使用哪个声明作为sub 声明。
例如,在 SCIM 中,解析的 sub 声明和 SCIM externalId 必须匹配才能成功登录。
如果对 sub 声明和/或 SCIM externalId 的源属性有限制,请设置 ISSUER_SUB_CLAIM_OVERRIDES 环境变量以选择使用哪个 OIDC JWT 声明作为 sub。
如果颁发者 URL 以此配置中的某个 URL 开头,则 sub 声明取自指定的字段名称。
例如,使用以下配置,具有颁发者 https://idp.yourdomain.com/application/uuid 的令牌将使用 customClaim 值作为 sub:
oid 声明:
Google Workspace IdP 设置
您可以使用 Google Workspace 作为单点登录 (SSO) 提供商,使用OAuth2.0 和 OIDC,无需 PKCE。您必须拥有对您组织的 Google Cloud Platform (GCP) 帐户的管理员级别访问权限以创建新项目,或者拥有为现有项目创建和配置 OAuth 2.0 凭据的权限。我们建议您为管理访问创建一个新项目,因为每个 GCP 项目都有一个单一的 OAuth 同意屏幕。
- 创建一个新的 GCP 项目,请参阅 Google 文档主题创建和管理项目
- 创建项目后,在 Google API Console 中打开凭据页面(确保左上角的项目是正确的)
-
创建新凭据:
创建凭据 → OAuth 客户端 ID -
选择
Web 应用程序作为应用程序类型,并输入应用程序的名称,例如LangSmith -
在
授权的 Javascript 来源中放置您的 LangSmith 实例的域,例如https://langsmith.yourdomain.com -
在
授权的重定向 URI中放置您的 LangSmith 实例的域,后跟/api/v1/oauth/custom-oidc/callback,例如https://langsmith.yourdomain.com/api/v1/oauth/custom-oidc/callback -
Click
Create, then download the JSON or copy and save theClient ID(ends with.apps.googleusercontent.com) andClient secretsomewhere secure. You will be able to access these later if needed. -
Select
OAuth consent screenfrom the navigation menu on the left- Choose the Application type as
Internal. If you selectPublic, anyone with a Google account can sign in. - Enter a descriptive
Application name. This name is shown to users on the consent screen when they sign in. For example, useLangSmithor<organization_name> SSO for LangSmith. - Verify that the Scopes for Google APIs only lists email, profile, and openid scopes. Only these scopes are required for single sign-on. If you grant additional scopes it increases the risk of exposing sensitive data.
- Choose the Application type as
- (Optional) control who within your organization has access to LangSmith: https://admin.google.com/ac/owl/list?tab=configuredApps. See Google’s documentation for additional details.
-
Configure LangSmith to use this OAuth application. For examples, here are the
configvalues that would be used for Kubernetes configuration:oauthClientId:Client ID(ends with.apps.googleusercontent.com)oauthClientSecret:Client secrethostname: the domain of your LangSmith instance e.g.https://langsmith.yourdomain.com(no trailing slash)oauthIssuerUrl:https://accounts.google.comoauth.enabled:trueauthType:mixed
Okta IdP setup
Supported features
- IdP-initiated SSO
- SP-initiated SSO
Configuration steps
For additional information, see Okta’s documentation. If you have any questions or issues, please reach out to support@langchain.dev.Via Okta Integration Network (recommended)
This method of configuration is required in order to use SCIM with Okta.
- Sign in to Okta.
- In the upper-right corner, select Admin. The button is not visible from the Admin area.
- Select
Browse App Integration Catalog. - Find and select the LangSmith application.
- On the application overview page, select Add Integration.
- Fill in
ApiUrlBase:- Your LangSmith API URL without the protocol (
https://) formatted as<langsmith_domain>/api/v1, e.g.,langsmith.yourdomain.com/api/v1. - If your installation is configured with a subdomain / path prefix, include that in the URL, e.g.,
langsmith.yourdomain.com/prefix/api/v1.
- Your LangSmith API URL without the protocol (
- Leave
AuthHostempty. - (Optional, if planning to use SCIM as well) Fill in
LangSmithUrl: The<langsmith_url>portion from above, e.g.,langsmith.yourdomain.com. - Under Application Visibility, keep the box unchecked.
- Select Next.
- Select
OpenID Connect. - Fill in
Sign-On Options:Application username format:Email.Update application username on:Create and update.Allow users to securely see their password: leave unchecked.
- Click Save.
- Configure LangSmith to use this OAuth application (see general configuration section for details about
initialOrgAdminEmail):
Via Custom App Integration
- Log in to Okta as an administrator, and go to the Okta Admin console.
- Under Applications > Applications click Create App Integration.
- Select OIDC - OpenID Connect as the Sign-in method and Web Application as the Application type, then click Next.
- Enter an
App integration name(e.g.,LangSmith). - Recommended: Check Core grants > Refresh Token (see session length controls).
- In Sign-in redirect URIs put the domain of your LangSmith instance followed by
/api/v1/oauth/custom-oidc/callback, e.g.,https://langsmith.yourdomain.com/api/v1/oauth/custom-oidc/callback. If your installation is configured with a subdomain / path prefix, include that in the URL, e.g.,https://langsmith.yourdomain.com/prefix/api/v1/oauth/custom-oidc/callback. - Remove the default URI under Sign-out redirect URIs.
- Under Trusted Origins > Base URIs add your langsmith URL with the protocol, e.g.,
https://langsmith.yourdomain.com. - Select your desired option under Assignments > Controlled access:
- Allow everyone in your organization to access.
- Limit access to selected groups.
- Skip group assignment for now.
- Click Save.
- Under Sign On > OpenID Connect ID Token set Issuer to Okta URL.
- (Optional) Under General > Login set Login initiated by to
Either Okta or Appto enable IdP-initiated login. - (Recommended) Under General > Login > Email verification experience fill in the Callback URI with the LangSmith URL, e.g.,
https://langsmith.yourdomain.com. - Configure LangSmith to use this OAuth application (see general configuration section for details about
initialOrgAdminEmail):
SP-initiated SSO
Users can sign in using the Login via SSO button on the LangSmith homepage.Without Client Secret (PKCE) (Deprecated)
We recommend running with aClient Secret if possible (previously we didn’t support this). However, if your IdP does not support this, you can use the Authorization Code with PKCE flow.
This flow does not require a Client Secret. For the alternative workflow, refer to With client secret.
Requirements
There are a couple of requirements for using OAuth SSO with LangSmith:- Your IdP must support the
Authorization Code with PKCEflow (Google does not support this flow for example, but see above for an alternative configuration that Google supports). This is often displayed in your OAuth Provider as configuring a “Single Page Application (SPA)” - Your IdP must support using an external discovery/issuer URL. We will use this to fetch the necessary routes and keys for your IdP.
- You must provide the
OIDC,email, andprofilescopes to LangSmith. We use these to fetch the necessary user information and email for your users. - You will need to set the callback URL in your IdP to
http://<host>/oauth-callback, where host is the domain or IP you have provisioned for your LangSmith instance. This is where your IdP will redirect the user after they have authenticated. - You will need to provide the
oauthClientIdandoauthIssuerUrlin yourvalues.yamlfile. This is where you will configure your LangSmith instance.