Docs › Authentication › Configuring SSO

Configuring Single Sign-On (SSO) for Your Team

Securely authenticate your team members using your organization's identity provider. This guide walks you through enabling SAML 2.0 or OIDC SSO in the Admin dashboard.

ℹ️

Prerequisites: You must be an Organization Admin to configure SSO. Supported IdPs include Okta, Azure AD, OneLogin, Auth0, and any SAML 2.0/OIDC compliant provider.

1. Prerequisites

Before configuring SSO, ensure you have the following information from your Identity Provider (IdP):

Identity Provider Metadata URL or XML Metadata File
SSO URL (SAML Assertion Consumer Service URL)
Issuer / Entity ID
X.509 Signing Certificate (for signature validation)
Attribute Mapping (Email, First Name, Last Name, Roles)

2. Create an Enterprise Application in Admin

Navigate to SSO Settings

Log into your Admin dashboard and go to Settings → Security → Single Sign-On. Click "Enable SSO" to begin configuration.

Choose Your Protocol

Select either SAML 2.0 or OpenID Connect (OIDC). Admin recommends SAML 2.0 for enterprise compliance, but OIDC is available for modern identity stacks.

3. Configure Identity Provider Settings

Enter the credentials and URLs provided by your IdP. For SAML 2.0, Admin uses the following ACS endpoint:

Endpoint

https://app.admin.com/auth/saml/acs

Required Attribute Mapping

Admin Field	IdP SAML Attribute	OIDC Claim	Required
Email	`email` or `mail`	`email`	✅ Yes
First Name	`firstName` or `given_name`	`given_name`	⚠️ Recommended
Last Name	`lastName` or `family_name`	`family_name`	⚠️ Recommended
Roles	`roles` (array)	`roles` (array)	⚠️ For auto-assignment

⚠️

Important: If your IdP doesn't send the email attribute, SSO will fail. Ensure your IdP is configured to include it in the assertion/ID token.

4. Validate & Test Configuration

Run Metadata Validation

Click "Validate Configuration" in the Admin dashboard. The system will verify your certificate, endpoints, and attribute mappings. A green checkmark indicates success.

Perform a Test Login

Use the "Test SSO" button to redirect to your IdP. Complete authentication and verify you're redirected back to Admin with the correct user profile.

CLI Test Command

admin-cli sso test --org-id=org_123 --env=production

5. Troubleshooting

Common Issues & Solutions

"Invalid SAML Response": Verify the Issuer/Entity ID matches exactly. Check clock skew (must be within 5 minutes).
"User not found": Ensure the email attribute matches an existing Admin user. Enable Just-In-Time (JIT) Provisioning if you want auto-creation.
"Certificate validation failed": Upload the latest X.509 public cert from your IdP. Certificates expire and must be rotated.

✅

Pro Tip: Enable Force Authentication (ForceAuthn=true) in your IdP to require re-authentication for sensitive Admin actions.

Need Help Configuring SSO?

Our enterprise security team can assist with IdP setup, attribute mapping, and compliance requirements.