Identity Provider

    Okta for Enterprise LLM Auth

    Already using Okta for workforce identity? Extend it to your AI stack. Attach Gateway verifies Okta JWTs and adds per-user identity and quotas to every LLM request.

    Get Started View Documentation

    Built for Enterprise

    Okta is the standard for workforce identity. Attach makes it work seamlessly with AI:

    ┌──────────────┐     ┌──────────┐     ┌─────────────────┐     ┌─────────┐
│   Employee   │────▶│   Okta   │────▶│  Attach Gateway │────▶│  Ollama │
│   (Browser)  │ SSO │   (IdP)  │ JWT │  (Verify+Quota) │     │  / vLLM │
└──────────────┘     └──────────┘     └─────────────────┘     └─────────┘

    What You Get

    Workforce Identity

    Use your existing Okta workforce directory. Employees authenticate with their corporate credentials.

    OIDC Verification

    Attach validates Okta JWTs automatically. SSO, MFA, and conditional access all enforced.

    Per-User Quotas

    Track and limit token usage by Okta user or group. Perfect for cost management.

    Setup Guide

    1

    Create an Okta API application

    In Okta Admin Console, create a new API integration.

    # Okta Admin > Applications > Create App Integration
# Choose: API Services or OIDC - Web Application
# Note your:
#   - Okta domain: dev-123456.okta.com
#   - Client ID: 0oabc123...
#   - Audience: api://your-api
    2

    Configure Attach Gateway

    export AUTH_BACKEND=okta
export OIDC_ISSUER=https://dev-123456.okta.com/oauth2/default
export OIDC_AUD=api://your-api

# Optional: Per-user quotas
export MAX_TOKENS_PER_MIN=60000

attach-gateway --port 8080
    3

    Get tokens from Okta

    # Using Okta CLI or SDK
okta login
export JWT=$(okta apps token --app your-app-id)

# Or via OAuth2 flow in your app
    4

    Make authenticated requests

    curl -H "Authorization: Bearer $JWT" \
  -d '{"model":"llama3","prompt":"hello"}' \
  http://localhost:8080/api/chat

# Okta user identity in X-Attach-User header
# Group memberships available for RBAC

    Supported Okta Features

    Workforce Identity Cloud
    Universal Directory integration
    Adaptive MFA
    Conditional access policies
    Group-based permissions
    Custom authorization servers
    Machine-to-machine tokens
    Session management

    Enterprise Security

    Attach integrates with Okta's authorization server. All your existing policies—MFA requirements, IP restrictions, device trust—are enforced before requests reach your LLM.

    Frequently Asked Questions

    Does Attach work with Okta Workforce Identity?

    Yes. Attach supports both Okta Workforce Identity Cloud and Customer Identity Cloud. For workforce scenarios, your employees authenticate with their corporate Okta credentials, and Attach verifies the resulting JWT to control LLM access.

    Can I use Okta groups for access control?

    Absolutely. Configure Okta to include group claims in your tokens. Attach extracts these claims and can enforce group-based access policies. For example, only the "AI-Power-Users" group gets access to GPT-4 class models.

    How does MFA work with Attach?

    MFA is enforced at the Okta login step, before tokens are issued. By the time a request reaches Attach, MFA has already been completed. Attach trusts Okta's verification—if a token exists and is valid, the user passed MFA.

    What about Okta's conditional access policies?

    Okta Sign-On Policies (device trust, network zones, risk-based auth) are evaluated during authentication. If a user passes those policies, they get a token. Attach then verifies and accepts that token—Okta's policies are already enforced.

    Related Integrations

    Ollama

    Secure Ollama with Okta

    Auth0

    Customer identity alternative

    Claude Code Enterprise

    Enterprise runtime

    Ready to Use Okta with Your LLMs?

    Extend your workforce identity to AI in under 5 minutes.

    Quick Start GuideView on GitHub