Implementation:BerriAI Litellm Enterprise SSO Handler
| Attribute | Value |
|---|---|
| Sources | enterprise/litellm_enterprise/proxy/auth/custom_sso_handler.py |
| Domains | Authentication, SSO, Enterprise, Proxy Auth |
| Last Updated | 2026-02-15 16:00 GMT |
Overview
EnterpriseCustomSSOHandler provides enterprise custom SSO authentication for the LiteLLM proxy, enabling users to implement custom logic that extracts user identity from request headers when an OAuth proxy sits in front of LiteLLM.
Description
This class provides the handle_custom_ui_sso_sign_in static method, which enables a custom SSO flow:
- The method verifies the user holds a premium license.
- It checks that
user_custom_ui_sso_sign_in_handleris configured ingeneral_settings. - It delegates to the configured
CustomSSOLoginHandlerto process incoming request headers and return anOpenIDobject containing user identity (email, name, etc.). - It passes the
OpenIDobject toSSOAuthenticationHandler.get_redirect_response_from_openidto generate a redirect response with an authentication token that sends the user to the LiteLLM UI.
Use Case: When you have an external OAuth proxy (e.g., OAuth2 Proxy, Authelia) that has already authenticated the user and added custom headers (e.g., X-Forwarded-User, X-Forwarded-Email), this handler extracts that information and converts it into a LiteLLM authentication session.
This is an enterprise-only feature requiring a premium license.
Usage
Configure a custom_ui_sso_sign_in_handler in general_settings that implements CustomSSOLoginHandler. The handler will be invoked when users access the SSO sign-in flow.
Code Reference
Source Location
enterprise/litellm_enterprise/proxy/auth/custom_sso_handler.py
Signature
class EnterpriseCustomSSOHandler:
@staticmethod
async def handle_custom_ui_sso_sign_in(
request: Request,
) -> RedirectResponse: ...
Import
from litellm_enterprise.proxy.auth.custom_sso_handler import EnterpriseCustomSSOHandler
I/O Contract
Inputs
| Parameter | Type | Description |
|---|---|---|
request |
fastapi.Request |
The incoming FastAPI request object containing headers and other request data from the OAuth proxy. |
Outputs
| Output | Type | Description |
|---|---|---|
| Redirect response | RedirectResponse |
Redirects the user to the LiteLLM UI with an authentication token. |
Exceptions:
| Exception | Condition |
|---|---|
ValueError |
User is not a premium user. |
ValueError |
custom_ui_sso_sign_in_handler is not configured in general_settings.
|
Usage Examples
# proxy_config.yaml
general_settings:
custom_ui_sso_sign_in_handler: "my_sso_module.MyCustomSSOHandler"
# Custom SSO handler implementation
from litellm.integrations.custom_sso_handler import CustomSSOLoginHandler
from fastapi_sso.sso.base import OpenID
from fastapi import Request
class MyCustomSSOHandler(CustomSSOLoginHandler):
async def handle_custom_ui_sso_sign_in(self, request: Request) -> OpenID:
email = request.headers.get("X-Forwarded-Email")
name = request.headers.get("X-Forwarded-User")
return OpenID(email=email, display_name=name)
Related Pages
- BerriAI_Litellm_Enterprise_API_Key_Auth -- Enterprise API key authentication