Logo

Enterprise SSO (SAML / OIDC)

PropelAuth’s Enterprise SSO support allows your users to connect their organizations to their own identity provider, either through SAML or OIDC. We currently provide integrations for Google, Okta, Entra, OneLogin, JumpCloud, Duo, and Rippling. However, we also offer generic integrations that will work with any IdP that supports SAML or OIDC.

One of the best things about our Enterprise SSO integration is that your code doesn’t need to change at all when you close your first enterprise customer. SAML and OIDC are an implementation detail of how an organization manages their users within your product. Any code you write that deals with organizations will work, regardless of the method that organization uses to manage its members.

Enabling Enterprise SSO in Your Project

To enable Enterprise SSO for your PropelAuth project, navigate to the Enterprise SSO / SCIM page in your PropelAuth dashboard.

SAML Org Page

Enabling Enterprise SSO For Organizations

Once you've enabled Enterprise SSO on the project-level, you can choose which of your organization should have access by going to the Organizations page and select an organization, select Settings, then toggling the "Can this organization set up SAML/OIDC?" setting.

SAML Org Page

You can also enable Enterprise SSO for organizations in the Enterprise SSO / SCIM page by clicking on the Organization-Specific Settings tab and clicking on the Manage Enterprise SSO by Organization button. You can also use this page to view which organizations have Enterprise SSO enabled in your project.

Organization Specific Enterprise SSO Page

Alternatively, you can enable Enterprise SSO for an organization programmatically via the Enable SAML for Org API call.

Your Customers Configure their own Enterprise SSO

PropelAuth empowers your customers to setup Enterprise SSO themselves - providing them with a detailed guide for each of our IdP integrations.

Any user with the manage a SAML / Enterprise SSO connection for their organization permission can start the process of connecting to their identity provider. This starts in your user's account page in their organization's settings tab.

Account Page

Alternatively, you can navigate to an organization's settings page and click on the Generate Link button. This button will generate a link to allow an employee of an organization to set up Enterprise SSO. This link does not require authentication to access and is intended to be used by an employee of the org, such as a member of their IT team.

Generate Link Button

Mapping Roles via SAML

Your users also have the option to map roles from their IdP to your application. Each IdP is a bit different so we offer guides for each provider that we support. Most of the time, the mapping will occur either from using roles or groups. For example, if a user is an Owner for your app in Okta, they'll be mapped to the Owner role in your app.

Alternatively, if a user is a member of the role_Owner group in Okta, they'll then be mapped to the Owner role in your app. The guides we provide for your users will provide all the information they need (including the names of your roles) to map roles from their identity provder to your app.

Mapping roles via OIDC is not yet supported.

Editing Enterprise SSO Login Settings

SAML Settings

There are three different options for how the login experience will look for your Enterprise SSO users. You can select these options in the Enterprise SSO / SCIM page in the PropelAuth Dashboard.

  • By domain - The default option. When your users visit your login page, they'll first click a Sign in with SSO button. They'll be prompted to enter their email address. If the domain of the email address matches the Organization Domain (found in the org's settings page), they'll automatically be redirected to their identity provider.

  • By Org Name - Similar to the above example where the user will first click on a Sign in with SSO button. They'll then be prompted to enter the name of their organization, such as "Acme Inc". If there's a match they'll automatically be redirected to their IdP to login.

  • Default to SAML/OIDC login - You can also choose if you want to set SAML/OIDC as the default login method, meaning no Sign in with SSO button. Instead, PropelAuth will automatically check if an email address belongs to a SAML/OIDC enabled org. If it does not, it'll fall back to password login.

default to saml login gif
If a user belongs to an org with Enterprise SSO enabled, they will no longer be able to log in with other login methods. Users with Internal Roles are able to bypass this.

Redirecting users directly to their Enterprise SSO provider

While our hosted pages have multiple ways to redirect your users to their IdP, sometimes you want to skip the hosted pages and redirect them directly to their Enterprise SSO provider. To do this, you can direct your users to {AUTH_URL}/api/fe/v3/login/saml and then include one of the following query parameters:

  • domain - Redirects the user to the SAML login page for an organization with a matching domain
  • email - Parses the domain from the email address and redirects the user to the SAML login page for an organization with a matching domain
  • org_id - Redirects the user to the SAML login page for the provided organization
  • org_name (case sensitive) - Redirects the user to the SAML login page for the provided organization

An example of this would look like so:

{AUTH_URL}/api/fe/v3/login/saml?email=test@acmeinc.com

If the provided organization has Enterprise SSO enabled, the user will be redirected to their IdP. Otherwise, it will fall back to redirecting the user to your login page.

Generic SAML and OIDC

Don't see your customer's IdP on our supported list? Your users also have the option to connect to a generic SAML or OIDC provider.

Generic SAML

We guide your customers through three steps:

  1. We provide a ACS URL and SP Entity ID that can be entered into the identity provider during setup.

  2. We guide your users into mapping user attributes from the identity provider to your app.

  3. We require the user to provide the IDP SSO URL, Entity ID, and Certificate from the identity provider. Note that the names of these variables may differ across providers.

Generic OIDC

We guide your customers through three steps:

  1. We require the user to provide the following fields:
  • Client ID
  • Client Secret
  • Authorize URL
  • Token URL
  • User Info URL
  • If PKCE should be used

  1. We provide a Redirect URI that can be entered into the identity provider during setup.

  2. We guide your users into mapping user attributes from the identity provider to your app.

Common Questions from Customers

Did your customer send you a questionnaire about your Enterprise SSO? If so, you've come to the right place! We'll try to cover common questions you may receive from your customers here.

Which IdPs do you support for SAML?

We support and provide SAML integration guides for the following IdPs:

  • Google
  • Okta
  • Entra ID (formerly Azure)
  • OneLogin
  • JumpCloud
  • Duo
  • Rippling
  • We also support most IdPs via our Generic SAML support.

Which IdPs do you support for OIDC?

We support and provide SAML integration guides for the following IdPs:

  • Google
  • Okta
  • Entra ID (formerly Azure)
  • OneLogin
  • JumpCloud
  • We also support most IdPs via our Generic OIDC support.

Which IdPs do you support for SCIM?

  • Okta
  • Entra ID (formerly Azure)
  • OneLogin
  • JumpCloud

Do you support Just-In-Time provisioning or SCIM provisioning?

We support both! When your customer enables and configures SAML or OIDC with their IdP they are using Just-In-Time (JIT) provisioning. If they were to enable and configure SCIM, provisioning will happen in real time instead of JIT. Here is some more information on JIT provisioning.

Do you support SP initiated logins, IdP initiated logins, or both?

We support both SP and IdP initiated logins.

Do you support mapping roles from the IdP to your app?

Yes, we do! Each of our IdP-specific SAML and SCIM guides show how to map roles to your app. Since each IdP handles this a bit differently, we recommend taking a look at our SAML Setup Guide Examples for more information.

Which user attributes are mapped from the IdP to your app?

The SAML Setup Guides will automatically provide your customers a list of all the user attributes that are enabled to be collected by SAML. To update the list of attributes to be collected, navigate to your User Properties page, select a property, and look for the Collect via SAML/SCIM toggle.

Do you support provisioning by group membership?

Technically this is all handled by the IdP and not us. But if your customer asks, you can tell them yes!

Do you support pushing groups to your application?

We support pushing groups to your application when SCIM is configured.

What is your ACS URL?

This is automatically generated and provided to your users in the SAML Setup Guides.

What is the Audience URI or Entity ID?

This is automatically generated and provided to your users in the SAML Setup Guides.

What is the Relay State URL?

A Relay State URL is not required for Enterprise SSO and currently not supported. If your customer is asking, you can tell them to keep the field empty.

OIDC URL not supported

Is one of your users running into a "OIDC URL not supported" error when setting up a Generic OIDC connection? If so, please send us an email at support@propelauth.com along with the URLs they're using.