🔐

SAML SSO

sso_samlauth

disabled

Single sign-on via SAML 2.0.

Setup checklist

0 of 6 done

Choose your IdP

Okta / Azure AD / Google Workspace / OneLogin / Auth0. Each has slightly different metadata URLs.

Create a new SAML application in your IdP

Use these values — ACS URL: https://<your-install>/api/sso/saml/acs · Entity ID: https://<your-install>/api/sso/saml/metadata

Configure SAML attributes

Required: email (NameID format = EmailAddress). Optional: first_name, last_name, role.

Download IdP metadata XML or copy the SSO URL + X.509 cert

Paste into the form on this page.

Pick default role for JIT-provisioned users

When SSO is on and a new user signs in, what role do they get by default? Override per-user later.

Test with one user account before forcing SSO org-wide

Don't lock yourself out — keep email/password fallback enabled until tested.

All credentials are encrypted at rest. Mask shown above; real values stored via secret manager reference.

IdP entity ID*

IdP SSO URL*

IdP X.509 certificate*

Default role for new users*

Just-in-time user provisioning

Create user on first successful SSO.

Enabled

Verify credentials with a real call to the provider.

Sends a test request with the current configuration. Doesn't enable the module — preview only.

Every config change recorded with diff.

Timestamp	Actor	Change
2026-05-23 11:42	Jagdish H.	config_update: smtp_host changed
2026-05-22 09:18	Jagdish H.	module.enable
2026-05-22 09:14	Jagdish H.	config_create: initial setup

⚠ 4 required fields empty