Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Implementation:BerriAI Litellm Enterprise SSO Handler

From Leeroopedia
Attribute Value
Sources enterprise/litellm_enterprise/proxy/auth/custom_sso_handler.py
Domains Authentication, SSO, Enterprise, Proxy Auth
Last Updated 2026-02-15 16:00 GMT

Overview

EnterpriseCustomSSOHandler provides enterprise custom SSO authentication for the LiteLLM proxy, enabling users to implement custom logic that extracts user identity from request headers when an OAuth proxy sits in front of LiteLLM.

Description

This class provides the handle_custom_ui_sso_sign_in static method, which enables a custom SSO flow:

  1. The method verifies the user holds a premium license.
  2. It checks that user_custom_ui_sso_sign_in_handler is configured in general_settings.
  3. It delegates to the configured CustomSSOLoginHandler to process incoming request headers and return an OpenID object containing user identity (email, name, etc.).
  4. It passes the OpenID object to SSOAuthenticationHandler.get_redirect_response_from_openid to generate a redirect response with an authentication token that sends the user to the LiteLLM UI.

Use Case: When you have an external OAuth proxy (e.g., OAuth2 Proxy, Authelia) that has already authenticated the user and added custom headers (e.g., X-Forwarded-User, X-Forwarded-Email), this handler extracts that information and converts it into a LiteLLM authentication session.

This is an enterprise-only feature requiring a premium license.

Usage

Configure a custom_ui_sso_sign_in_handler in general_settings that implements CustomSSOLoginHandler. The handler will be invoked when users access the SSO sign-in flow.

Code Reference

Source Location

enterprise/litellm_enterprise/proxy/auth/custom_sso_handler.py

Signature

class EnterpriseCustomSSOHandler:
    @staticmethod
    async def handle_custom_ui_sso_sign_in(
        request: Request,
    ) -> RedirectResponse: ...

Import

from litellm_enterprise.proxy.auth.custom_sso_handler import EnterpriseCustomSSOHandler

I/O Contract

Inputs

Parameter Type Description
request fastapi.Request The incoming FastAPI request object containing headers and other request data from the OAuth proxy.

Outputs

Output Type Description
Redirect response RedirectResponse Redirects the user to the LiteLLM UI with an authentication token.

Exceptions:

Exception Condition
ValueError User is not a premium user.
ValueError custom_ui_sso_sign_in_handler is not configured in general_settings.

Usage Examples

# proxy_config.yaml
general_settings:
  custom_ui_sso_sign_in_handler: "my_sso_module.MyCustomSSOHandler"
# Custom SSO handler implementation
from litellm.integrations.custom_sso_handler import CustomSSOLoginHandler
from fastapi_sso.sso.base import OpenID
from fastapi import Request

class MyCustomSSOHandler(CustomSSOLoginHandler):
    async def handle_custom_ui_sso_sign_in(self, request: Request) -> OpenID:
        email = request.headers.get("X-Forwarded-Email")
        name = request.headers.get("X-Forwarded-User")
        return OpenID(email=email, display_name=name)

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment