Give ChatGPT Enterprise a simple, self-hosted SSO identity provider without standing up a full auth platform.
Restrict login to users with an email address matching an approved domain suffix, like @example.edu.
Run a compact identity provider as a single binary with no external database to manage.
Deploy behind Nginx or Caddy for TLS, or use the server's built-in HTTPS support directly.
| fanhuacloud/go-sso | 0hardik1/kubesplaining | huoji120/code_review_agent | |
|---|---|---|---|
| Stars | 33 | 33 | 33 |
| Language | Go | Go | Go |
| Setup difficulty | moderate | easy | moderate |
| Complexity | 3/5 | 3/5 | 3/5 |
| Audience | ops devops | ops devops | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires a publicly reachable HTTPS issuer URL, and a fixed private key file for stable production tokens.
This is a minimal single sign-on (SSO) server written in Go that implements the OpenID Connect (OIDC) protocol. It is designed specifically to act as the identity provider when connecting a self-hosted authentication system to ChatGPT Enterprise's SSO feature. The server is intentionally small: the whole project compiles to a single binary with no external database required. The way it works is straightforward. A user visits the server's login page and enters their email address and a fixed authorization code set in the server's configuration. If the email matches an allowed domain suffix (such as @example.edu) and the code is correct, the server signs a JWT token with an RSA key and returns it to the calling service. OpenAI's systems then verify that token against the server's public JWKS endpoint. All configuration lives in a single .env file. You set the OIDC issuer URL (which must be a publicly accessible HTTPS address for OpenAI to reach it), a client ID and secret, the allowed email suffixes, and the authorization code users must enter to log in. If you do not specify a private key file, the server generates a temporary RSA key on each startup, meaning the keys change after every restart. For production, the README recommends a fixed private key file. Optional features include Cloudflare Turnstile bot protection on the login page and direct HTTPS support built into the binary. The server can also run behind a reverse proxy like Nginx or Caddy, in which case it stays on HTTP internally and the proxy handles TLS. The README is written in Chinese. It covers running the server, building a Linux binary from Windows, configuring each .env value, applying for Cloudflare Turnstile keys, and both HTTPS options step by step. The issued ID tokens include the standard claims: sub, email, email_verified, given_name, and family_name.
A minimal, single-binary Go server that acts as an OpenID Connect identity provider so you can connect your own login system to ChatGPT Enterprise's SSO feature, with no external database needed.
Mainly Go. The stack also includes Go, OIDC, JWT.
Setup difficulty is rated moderate, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.