Skip to Content
Admin ConsoleEnterprise SSO

Enterprise SSO Configuration

Enterprise SSO allows organizations to use their corporate identity provider — Okta, Azure AD, Google Workspace, OneLogin, and others — to authenticate users in Auris. Instead of managing separate Auris credentials, users sign in through their employer’s existing login page and are automatically granted access to your application.

SSO connections are configured per-organization. Each organization can have one or more SSO connections (for example, SAML for the main workforce and OIDC for a subsidiary using a different IdP).

Access via ConsoleOrganizations → select an organization → Enterprise SSO tab.


Creating an SSO Connection

Open the organization detail page

Go to ConsoleOrganizations and click on the organization you want to configure SSO for.

Click the Enterprise SSO tab (the fourth tab on the organization detail page).

Click Add SSO Connection

Click the Add SSO Connection button.

Select the connection type

Choose SAML 2.0 or OIDC depending on what your customer’s identity provider supports. Most enterprise IdPs support both, but SAML is more common in large organizations.

Enter a connection name

Give the connection a descriptive name (for example, “Acme Corp Okta SAML”, “Contoso Azure AD OIDC”). This name is for administrative reference only and is not shown to end users.

Configure provider-specific settings

Fill in the settings for your chosen protocol. See the configuration tables below.

Save

Click Save. The connection is created in Inactive status. You must activate it after testing.


SAML 2.0 Configuration

When creating or editing a SAML 2.0 connection, the following fields are available:

FieldRequiredDescription
SSO URLYesThe IdP’s Single Sign-On URL (also called “Login URL” or “SSO Service URL”). This is where Auris redirects the user to authenticate.
Entity IDYesThe IdP’s Entity ID, also called the “Issuer”. A unique identifier for the identity provider, typically a URL.
CertificateYesThe IdP’s X.509 signing certificate in PEM format. Auris uses this to verify that SAML assertions are genuinely from the IdP.
Name ID FormatNoThe format of the user identifier in the SAML assertion. Default: emailAddress. Alternative: persistent (opaque identifier).
Sign AuthnRequestNoWhether Auris should sign its SAML authentication request. Some IdPs require signed requests. Default: off.

Where to find these values in your IdP:

  • Okta: Go to Applications → your SAML app → Sign On tab → View SAML setup instructions
  • Azure AD: Go to Enterprise Applications → your app → Single sign-on → SAML configuration
  • Google Workspace: Go to Admin Console → Apps → Web and mobile apps → your SAML app → Service provider details

After saving, Auris provides the following values that you need to enter in the IdP:

Auris ValueWhere to Enter in IdP
ACS URL (Assertion Consumer Service)Reply URL / ACS URL field
Entity ID / AudienceSP Entity ID / Audience Restriction field
Metadata URLSP Metadata URL (if the IdP supports automatic configuration)

OIDC Configuration

When creating or editing an OIDC connection, the following fields are available:

FieldRequiredDescription
Discovery URLYesThe IdP’s OpenID Connect Discovery URL (.well-known/openid-configuration). Auris fetches the authorization, token, userinfo, and JWKS endpoints from this URL automatically.
Client IDYesThe Client ID assigned to Auris by the IdP when you register it as an application.
Client SecretYesThe Client Secret assigned to Auris. Stored encrypted in the Auris database.
ScopesNoThe OpenID scopes to request during authentication. Default: openid email profile. Add additional scopes if you need custom claims.

Where to find these values:

  • Azure AD: App registrations → your app → Overview (Client ID) + Certificates & secrets (Client Secret) + Endpoints (Discovery URL)
  • Okta: Applications → your OIDC app → General tab (Client ID, Client Secret) + Issuer URI + /.well-known/openid-configuration
  • Google Workspace: Google Cloud Console → APIs & Services → Credentials → OAuth 2.0 Client. Discovery URL: https://accounts.google.com/.well-known/openid-configuration

After saving, Auris provides a Redirect URI that you must add to the IdP’s allowed redirect URIs list.


Connection Status

Each SSO connection has a status badge:

StatusBadge ColorMeaning
InactiveGrayThe connection is saved but not active. Users cannot log in via this connection.
TestingYellowThe connection is configured and available for test logins but is not the default for the organization’s domains.
ActiveGreenThe connection is live. Users matching verified domains are automatically redirected to this IdP.
ErrorRedThe connection encountered a configuration error (for example, expired certificate, unreachable discovery URL).

Testing an SSO Connection

Before activating a connection for all users, test it to verify the configuration is correct.

Click Test Connection

On the SSO connection detail, click the Test Connection button.

Authenticate with the IdP

A new browser window opens with the identity provider’s login page. Sign in with a test account.

Review the test results

After successful authentication, the test window displays the attributes received from the IdP:

AttributeDescription
Subject / Name IDThe user identifier returned by the IdP
EmailThe user’s email address
First NameGiven name (if provided)
Last NameFamily name (if provided)
Groups / RolesAny group or role claims (if configured in the IdP)
Raw AssertionThe full SAML assertion or OIDC ID token (expandable, for debugging)

Verify the attributes

Confirm that the email, name, and other attributes are correct. If attributes are missing, check the IdP’s attribute mapping or claims configuration.

If the test fails, the window shows the error message. Common failure reasons are listed in the Troubleshooting section below.


Domain Verification

Domain verification links email domains to SSO connections. When a user enters their email on the hosted login page, Auris checks whether the email domain is verified for an SSO connection. If it is, the user is automatically redirected to the corporate IdP — no manual “Sign in with SSO” button required.

Adding a Domain

Click Add Domain

On the Enterprise SSO tab, click Add Domain in the Verified Domains section.

Enter the domain

Enter the email domain (for example, acme.com, contoso.io). Do not include the @ symbol.

Copy the DNS TXT record

Auris generates a verification record that you (or your customer’s IT team) must add to the domain’s DNS:

_auris-verification.acme.com TXT "auris-verify=abc123def456ghi789"

Copy the full record value.

Add the TXT record to DNS

In the domain’s DNS management panel (Cloudflare, Route 53, GoDaddy, etc.), create a new TXT record with:

  • Host / Name: _auris-verification
  • Value: auris-verify=abc123def456ghi789 (the value from the previous step)
  • TTL: 3600 (or default)

Click Verify

After the DNS record has propagated (typically 1-15 minutes), click the Verify button next to the domain. Auris performs a DNS TXT lookup to confirm the record exists.

Domain Status

StatusBadge ColorMeaning
PendingYellowThe domain has been added but not yet verified. The DNS TXT record has not been confirmed.
VerifiedGreenDNS verification succeeded. Users with this email domain are redirected to the SSO connection.
FailedRedDNS verification failed. The TXT record was not found. Check DNS propagation and record values.

DNS propagation can take up to 48 hours in some cases, though most providers propagate within minutes. If verification fails, wait a few minutes and try again. Use a tool like dig _auris-verification.acme.com TXT to check whether the record is visible.


SSO Login Detection

When a user enters their email on the Auris hosted login page, the following flow occurs:

  1. The user types their email address and clicks Continue (or the email field loses focus)
  2. Auris calls the SSO detection endpoint with the email domain
  3. If the domain is verified and linked to an active SSO connection, the user is automatically redirected to the corporate IdP
  4. After authenticating with the IdP, the user is redirected back to Auris
  5. Auris processes the SAML assertion or OIDC callback and issues an Auris session

This detection is transparent to the user — they simply enter their email and are redirected to their company’s login page.

POST/api/auth/sso/detect

Just-In-Time (JIT) Provisioning

When a user logs in via SSO for the first time and does not have an existing Auris account, Auris automatically creates one. This is called Just-In-Time provisioning.

The provisioned user account is populated with:

  • Email: From the SAML Name ID or OIDC email claim
  • First Name / Last Name: From the SAML attributes or OIDC profile claims
  • Organization membership: Automatically added to the organization that owns the SSO connection
  • Roles: Default roles for the organization (configurable in the organization settings)

JIT provisioning means you do not need to pre-create user accounts for SSO users. The first login creates everything automatically.

SSO users do not have an Auris password. They authenticate exclusively through their corporate IdP. This means SSO users cannot use the “Forgot Password” flow — there is no password to reset. If an SSO user needs to log in without their IdP (for example, during an IdP outage), an administrator must manually set a password for them in Console → Users.


Managing SSO Connections

Activating and Deactivating

Toggle the Active switch on any connection to enable or disable it. Deactivating a connection prevents users from logging in via that IdP but preserves the configuration. This is useful during IdP maintenance or when troubleshooting issues.

Deleting a Connection

Click Delete on a connection to permanently remove it. A confirmation dialog appears — type the connection name to confirm. Deleting a connection does not delete the users who were provisioned through it.

Connection Statistics

The connection detail view shows:

MetricDescription
Last LoginTimestamp of the most recent SSO authentication through this connection
Total SSO LoginsCumulative count of successful SSO authentications
Error CountNumber of failed SSO attempts (certificate errors, misconfigurations, etc.)

IdP Setup Quick Reference

Okta (SAML)

  1. In Okta Admin, go to ApplicationsCreate App IntegrationSAML 2.0
  2. Set the Single sign-on URL to the ACS URL from the Auris Console
  3. Set the Audience URI (SP Entity ID) to the Entity ID from the Auris Console
  4. Under Attribute Statements, map email, firstName, lastName
  5. Copy the Identity Provider SSO URL, Entity ID, and download the Certificate
  6. Paste these into the Auris Console SAML connection form

Azure AD (SAML)

  1. In Azure Portal, go to Enterprise ApplicationsNew ApplicationCreate your own
  2. Select Integrate any other application and name it
  3. Go to Single sign-onSAML
  4. Set Reply URL (ACS) to the ACS URL from Auris
  5. Set Identifier (Entity ID) to the Entity ID from Auris
  6. Download the Certificate (Base64) and copy the Login URL and Azure AD Identifier
  7. Paste these into the Auris Console SAML connection form

Google Workspace (SAML)

  1. In Google Admin Console, go to AppsWeb and mobile appsAdd appAdd custom SAML app
  2. Copy the SSO URL and download the Certificate
  3. Set the ACS URL and Entity ID from the Auris Console
  4. Map the email, firstName, lastName attributes
  5. Paste the SSO URL and Certificate into the Auris Console

Troubleshooting

IssueCauseResolution
”Invalid SAML response”Certificate mismatch — the IdP’s signing certificate has been rotatedDownload the new certificate from the IdP and update it in the Auris Console
”Discovery URL unreachable”The OIDC discovery endpoint is not accessible from the Auris serverVerify the URL is correct and that the Auris server can reach it (check firewall rules)
User created but no nameThe IdP is not sending name attributesConfigure attribute statements / claims in the IdP to include firstName and lastName
”Redirect URI mismatch” (OIDC)The redirect URI in the IdP does not match the one Auris providesCopy the exact Redirect URI from the Auris Console and add it to the IdP’s allowed redirect URIs
Domain verification failsDNS TXT record not foundVerify the record exists with dig or nslookup. Check for typos in the record name and value. Wait for DNS propagation.
Users not redirected automaticallyDomain is not verified, or SSO connection is not ActiveVerify the domain status is Verified (green) and the connection status is Active (green)

Permissions

PermissionDescription
manage:sso_connectionsCreate, edit, delete, activate, and deactivate SSO connections. Manage domain verification.
view:sso_connectionsView SSO connections, domains, and statistics. Cannot modify configurations.