Disable Basic Auth After SSO Setup: Admin Account Access?

·Jun 19, 2025 06:59 PM

Once I have SSO working, I can turn disable basic auth by setting the environment variablePHOENIX_DISABLE_BASIC_AUTH=true . Does this prevent me from signing in with the admin account?

3 comments

· Sorted by Oldest

RunLLM
APP
·
Yes, setting `PHOENIX_DISABLE_BASIC_AUTH=true` disables password authentication entirely, including for the default admin account; only OAuth2/SSO logins will be allowed. You will not be able to sign in with the admin account using a password when this is set—admin access must be provisioned via SSO or pre-created users with OAuth2 credentials. According to <https://github.com/Arize-ai/phoenix/pull/7582|the PR on OAuth2-only mode> and <https://github.com/Arize-ai/phoenix/blob/main/src/phoenix/config.py|the config documentation>, this is the intended behavior. Would you like more detail on how to provision admin access or migrate existing users to SSO? Sources: - <https://github.com/Arize-ai/phoenix/pull/7582|feat!: allow a oauth2 only mode> - <https://github.com/Arize-ai/phoenix/blob/main/src/phoenix/config.py|src/phoenix/config.py>
💡 Hint: Mention RunLLM in the thread for followups.
Brandon B.
·
RunLLM yes please explain how I use an SSO account as admin.
RunLLM
APP
·
To use an SSO account as an admin, you must pre-create the user in Phoenix with admin privileges before SSO login if `PHOENIX_OAUTH2_<IDP> _ALLOW_SIGN_UP=false` or if basic auth is disabled. This is done by setting the `PHOENIX_ADMINS` environment variable at deploy time to a semicolon-separated list of `username=email` pairs; Phoenix will create admin users for each if they do not already exist. After the SSO user logs in for the first time, their role can also be changed to admin by an existing Phoenix admin via the UI or management API. See <https://github.com/Arize-ai/phoenix/blob/main/docs/section-self-hosting/provisioning.md|provisioning docs> and <https://github.com/Arize-ai/phoenix/blob/main/docs/section-self-hosting/authentication.md|authentication docs>. Would you like a step-by-step example or more detail on user provisioning and role assignment? Sources: - <https://github.com/Arize-ai/phoenix/blob/main/docs/section-self-hosting/authentication.md|authentication.md> - <https://github.com/Arize-ai/phoenix/blob/main/docs/section-self-hosting/provisioning.md|provisioning docs>
💡 Hint: Mention RunLLM in the thread for followups.

RunLLM
APP
·
Yes, setting `PHOENIX_DISABLE_BASIC_AUTH=true` disables password authentication entirely, including for the default admin account; only OAuth2/SSO logins will be allowed. You will not be able to sign in with the admin account using a password when this is set—admin access must be provisioned via SSO or pre-created users with OAuth2 credentials. According to <https://github.com/Arize-ai/phoenix/pull/7582|the PR on OAuth2-only mode> and <https://github.com/Arize-ai/phoenix/blob/main/src/phoenix/config.py|the config documentation>, this is the intended behavior. Would you like more detail on how to provision admin access or migrate existing users to SSO? Sources: - <https://github.com/Arize-ai/phoenix/pull/7582|feat!: allow a oauth2 only mode> - <https://github.com/Arize-ai/phoenix/blob/main/src/phoenix/config.py|src/phoenix/config.py>
💡 Hint: Mention RunLLM in the thread for followups.
Brandon B.
·
RunLLM yes please explain how I use an SSO account as admin.
RunLLM
APP
·
To use an SSO account as an admin, you must pre-create the user in Phoenix with admin privileges before SSO login if `PHOENIX_OAUTH2_<IDP> _ALLOW_SIGN_UP=false` or if basic auth is disabled. This is done by setting the `PHOENIX_ADMINS` environment variable at deploy time to a semicolon-separated list of `username=email` pairs; Phoenix will create admin users for each if they do not already exist. After the SSO user logs in for the first time, their role can also be changed to admin by an existing Phoenix admin via the UI or management API. See <https://github.com/Arize-ai/phoenix/blob/main/docs/section-self-hosting/provisioning.md|provisioning docs> and <https://github.com/Arize-ai/phoenix/blob/main/docs/section-self-hosting/authentication.md|authentication docs>. Would you like a step-by-step example or more detail on user provisioning and role assignment? Sources: - <https://github.com/Arize-ai/phoenix/blob/main/docs/section-self-hosting/authentication.md|authentication.md> - <https://github.com/Arize-ai/phoenix/blob/main/docs/section-self-hosting/provisioning.md|provisioning docs>
💡 Hint: Mention RunLLM in the thread for followups.