ChatGPT/OpenAI

Here are some hints for integrating Shibboleth as the IDP for SAML based login to ChatGPT.

  • OpenAI is using Okta on the back end. Their admin interface doesn’t currently provide access to their Relying Party metadata. However, you can access metadata if you extract the “connection” parameter from the ACS URL. Using that string you can retrieve metadata, including certificates, from:

    https://auth0.openai.com/samlp/metadata?connection={connection string}
  • A complication to think through when enabling SAML access to ChatGPT is that there are three authentication options: SAML, Social (Google, Apple, Windows), and Password. Enabling certain SAML options will impact existing users that have previously registered personal accounts (free or subscription) with OpenAI.

    • OpenAI may be able to provide you with a diagram showing how the authentication options interact and the impact of the available settings ("Anyone using email addresses

      with a verified domain can log in via SAML SSO.", “Enforce SSO”). If OpenAI can provide such a diagram, it will probably be extraordinarily helpful.

    • OpenAI may be able to provide you with information about pre-existing personal accounts. If the email domain of the accounts matches the domain your are configuring for SAML, the personal accounts may be impacted when SAML is enabled.