From c3cd50e0e6044a2e62ab630dd134af958fdaf319 Mon Sep 17 00:00:00 2001 From: Taylor Wilsdon Date: Mon, 7 Apr 2025 15:31:25 -0400 Subject: [PATCH] Add secret key info for transparent sessions across multiple nodes --- docs/tutorials/integrations/okta-oidc-sso.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/tutorials/integrations/okta-oidc-sso.md b/docs/tutorials/integrations/okta-oidc-sso.md index ed8eb37..6a3c9ec 100644 --- a/docs/tutorials/integrations/okta-oidc-sso.md +++ b/docs/tutorials/integrations/okta-oidc-sso.md @@ -87,6 +87,18 @@ OAUTH_PROVIDER_NAME="Okta" Replace `YOUR_OKTA_CLIENT_ID`, `YOUR_OKTA_CLIENT_SECRET`, and `YOUR_OKTA_OIDC_DISCOVERY_URL` with the actual values from your Okta application configuration. If enabling group management, ensure `OAUTH_GROUP_CLAIM` matches the claim name you configured in Okta (default is `groups`). +:::info Session Persistence in Multi-Node Deployments + +When deploying Open WebUI across multiple nodes (e.g., in a Kubernetes cluster or behind a load balancer), it is crucial to ensure session persistence for a seamless user experience, especially with SSO. Set the `WEBUI_SECRET_KEY` environment variable to the **same secure, unique value** on **all** Open WebUI instances. + +```bash +# Example: Generate a strong secret key (e.g., using openssl rand -hex 32) +WEBUI_SECRET_KEY="YOUR_UNIQUE_AND_SECURE_SECRET_KEY" +``` + +If this key is not consistent across all nodes, users may be forced to log in again if their session is routed to a different node, as the session token signed by one node will not be valid on another. By default, the Docker image generates a random key on first start, which is unsuitable for multi-node setups. +::: + :::tip Disabling the Standard Login Form If you intend to *only* allow logins via Okta (and potentially other configured OAuth providers), you can disable the standard email/password login form by setting the following environment variable: