Logo

Enterprise SSO - Customer Facing Documentation

Did your customer send you a questionnaire about your Enterprise SSO? Or are you looking to add Enterprise SSO documentation to your docs? Here are some answers to common questions your customer may be asking as well as copyable markdown that you can add to your customer facing documentation.

Some sections of the documentation below depend on your PropelAuth project configuration as well as your own preferences. These sections will be flagged with a note.

Enterprise SSO Support

Enterprise SSO lets you and your team log in to our application using their IdP credentials, such as Azure / Entra, Okta, OneLogin, and more.

Configuring Enterprise SSO for your Organization

Users with the {ROLE_WITH_THE_ENTERPRISE_SSO_PERMISSION} role can navigate to their organization's account page and click on the Enable Enterprise SSO button to configure Enterprise SSO.

You'll then be prompted to choose which IdP you want to integrate with. Clicking on any option will redirect you to a guide on how to integrate, including how to map roles and user properties. These guides will also provide you with the information you need to enter into your IdP, such as a ACS URL, Entity ID, callback URL, etc.

See here for more information about the Enterprise SSO Permission

Do you support Just-In-Time provisioning or SCIM provisioning?

We support both! When your customer enables and configures SAML or OIDC with their IdP they are using Just-In-Time (JIT) provisioning. If they were to enable and configure SCIM, provisioning will happen in real time instead of JIT.

SCIM support is only available on our Growth Plus plan. If your plan does not include SCIM, only Just-In-Time provisioning is available.

Do you support SP initiated logins, IdP initiated logins, or both?

We support both SP and IdP initiated logins.

Do you support mapping roles from the IdP to your app?

Yes, we do! Each of our IdP-specific SAML and SCIM guides provide directions on how to map roles from your IdP to our application.

SCIM support is only available on our Growth Plus plan.

Which user attributes are mapped from the IdP to your app?

Our Enterprise SSO guides will provide directions on how to map the following user properties from your IdP to our application:

  1. Email
  2. First Name
  3. Last Name
User properties that have the Collect via SAML/SCIM option enabled will be added to the Enterprise SSO guides automatically. Please list them above. The only default property is email.

Do you support provisioning by group membership?

Yes, we do! We also support mapping roles based on group membership as long as your IdP supports it.

Do you support pushing groups to your application?

We support pushing groups to our application when SCIM is configured.

SCIM support is only available on our Growth Plus plan.

Can we restrict members of an org with Enterprise SSO enabled from logging in via other methods?

We do this automatically for you! Once an org has Enterprise SSO enabled, members of that org (or users who share the same email domain as the org) will not be able to log in via other methods, such as email/password or magic link.

Update with your login methods.

SAML

Supported IdPs

We provide SAML integration guides for the following IdPs:

  • Google
  • Okta
  • Entra ID (formerly Azure)
  • OneLogin
  • JumpCloud
  • Duo
  • Rippling
  • We also support most IdPs via our Generic SAML support. If your IdP supports SAML 2.0 we can almost certainly integrate with it.

SAML Version Support

We support SAML 2.0

AuthnRequest Support

We do not sign the AuthnRequest. The responses or assertions from your IdP are signed which you provide a certificate for during the setup process.

ACS URL

You can find the ACS URL in our Enterprise SSO setup guides.

Audience URI / Entity ID

You can find the Audience URI/Entity ID in our Enterprise SSO setup guides.

Relay State URL

A Relay State URL is not required for Enterprise SSO and currently not supported.

metadata.xml file

Some IdPs require a metadata.xml file to be uploaded to their system from the service provider. Generating this file can be done by following these steps:

  1. Complete the Enterprise SSO setup guide. You can always go back and edit your configuration later.
  2. On the last page of the guide click the Finish & Go Live button.
  3. A login URL will be provided like so: {YOUR_AUTH_URL}/saml/{ORG_SLUG}/login.
  4. Change /login to /metadata and then navigate to it to download the XML file.
Update the {YOUR_AUTH_URL} above.

OIDC

Supported IdPs

We provide OIDC integration guides for the following IdPs:

  • Google
  • Okta
  • Entra ID (formerly Azure)
  • OneLogin
  • JumpCloud
  • We also support most IdPs via our Generic OIDC support.

Callback URL

The Callback URL for OIDC is {YOUR_AUTH_URL}/eoidc/callback

Update the {YOUR_AUTH_URL} above.

SCIM

SCIM support is only available on our Growth Plus plan.

Supported IdPs

  • Okta
  • Entra ID (formerly Azure)
  • OneLogin
  • JumpCloud

SCIM URL and SCIM API Key

You can find the SCIM URL and SCIM API Key in our Enterprise SSO setup guides.