Skip to Content
GuidesAuthenticationEnterprise SSO

Enterprise SSO

Auris enables enterprise customers to authenticate using their existing corporate identity provider (IdP) — Azure Active Directory, Okta, Google Workspace, OneLogin, PingIdentity, or any SAML 2.0 or OIDC-compliant IdP.

SSO connections are scoped to organizations. Each organization in Auris can have one or more SSO connections, and the appropriate connection is detected automatically by the user’s email domain.


Overview

When a user with an email matching a verified domain attempts to sign in, Auris:

  1. Detects the SSO connection via the email domain
  2. Redirects the user to the corporate IdP login page
  3. Receives the SAML assertion or OIDC token from the IdP
  4. Maps IdP user attributes to Auris user fields
  5. Provisions the user account in Auris if it does not exist (JIT provisioning)
  6. Issues an Auris access token and refresh token

From your application’s perspective, the flow is identical to any other Auris login — you use the same SDK, the same callback URL, and receive the same token format.


SAML 2.0 Setup

Create an organization

Enterprise SSO connections are attached to organizations. If you have not already created an organization for the enterprise customer, go to Console → Organizations → Create Organization.

Open SSO configuration

Navigate to the organization’s detail page → Enterprise SSO tab → Add ConnectionSAML 2.0.

Configure your SAML IdP

In your IdP’s admin interface, create a new SAML application. You will need the following Auris values (displayed in the Console after selecting SAML 2.0):

FieldValue
Entity ID (Audience URI)https://auth.yourdomain.com/saml/{connectionId}
ACS URL (Reply URL)https://auth.yourdomain.com/api/auth/sso/callback/{connectionId}
Name ID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Enter IdP metadata in Auris Console

From your IdP, obtain:

  • Metadata URL or Metadata XML — Auris uses this to extract the IdP entity ID, SSO URL, and signing certificate
  • Or enter the SSO URL, Entity ID, and Certificate manually

Configure attribute mapping

Map SAML attributes to Auris user fields. Common mappings:

Auris FieldCommon SAML Attribute
Emailhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress or email
First Namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname or firstName
Last Namehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname or lastName
Usernamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Activate the connection

Click Activate. The connection status changes to Active. Test by clicking Test Connection, which opens the IdP login page in a new tab.


OIDC Provider Setup

Open SSO configuration

Navigate to the organization’s detail page → Enterprise SSO tab → Add ConnectionOIDC.

Register Auris in your OIDC Provider

In your IdP (e.g., Azure AD, Okta, Auth0, Google Workspace), register a new OIDC application:

  • Redirect URI: https://auth.yourdomain.com/api/auth/sso/callback/{connectionId}
  • Grant Type: Authorization Code
  • Token Endpoint Auth Method: client_secret_post

Copy the Client ID and Client Secret.

Enter OIDC configuration in Auris Console

Enter either:

  • Discovery URL (recommended): the OIDC .well-known/openid-configuration URL for your IdP — Auris fetches all endpoint URLs automatically
  • Or individual fields: Authorization Endpoint, Token Endpoint, Userinfo Endpoint, JWKS URI

Enter the Client ID and Client Secret from the previous step.

Configure scopes

The default scopes openid profile email are sufficient for most deployments. Add custom scopes if your IdP requires them to release additional attributes.

Activate and test

Click Activate, then Test Connection to verify the flow end-to-end.


Domain Verification

For SSO detection to work, you must verify ownership of the email domain(s) used by the organization’s members.

Add a domain

In the organization’s Enterprise SSO tab → DomainsAdd Domain. Enter the domain (e.g., acme.com).

Add the DNS TXT record

Auris generates a verification token. Add a TXT record to your domain’s DNS:

Type: TXT Name: _auris-verify.acme.com Value: auris-verify=abc123xyz456...

Trigger verification

After adding the DNS record, click Verify in the Console. Auris performs a DNS TXT record lookup and marks the domain as verified.

DNS propagation can take up to 48 hours, though it is typically under 5 minutes for most providers.

A single domain can only be verified for one organization across a tenant. Attempting to verify an already-claimed domain returns an error.


SSO Detection

Auris automatically detects SSO availability when a user enters their email on the hosted login page. The detection flow is also available as an API call for custom login UIs:

POST/api/auth/sso/detect

Check whether SSO is configured for an email domain. Body: { email: string }. Returns { ssoEnabled: boolean, connectionAlias?: string, provider?: 'saml' | 'oidc' }.

// Custom login UI: check for SSO before showing the password field async function checkSso(email) { const domain = email.split('@')[1] const response = await fetch('/api/auth/sso/detect', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ email }), }) const data = await response.json() if (data.ssoEnabled) { // Redirect to SSO — skip the password field window.location.href = `/api/auth/sso/login/${data.connectionAlias}` } else { // Show password field showPasswordField() } }

JIT Provisioning

Just-in-time provisioning automatically creates a new Auris user account the first time an SSO user authenticates. This eliminates the need to pre-create accounts or synchronize user lists manually.

On first SSO login:

  • Auris creates a user account with the attributes mapped from the SAML assertion or OIDC token
  • The user is assigned any default roles configured for the organization
  • A user.created audit log event is recorded with source: 'sso_jit'

On subsequent SSO logins:

  • Auris updates the user’s attributes from the IdP (name, email) if they have changed
  • Role assignments from previous sessions are preserved
  • A user.login audit log event is recorded

To disable JIT provisioning: Toggle JIT Provisioning off in the SSO connection settings. With JIT disabled, users must be pre-created in Auris (manually or via SCIM) before they can use SSO.


Role Mapping

By default, SSO users receive no roles in Auris. You can configure automatic role assignment based on IdP group membership:

  1. In the SSO connection settings → Role Mapping tab
  2. Map IdP group values (from a groups SAML attribute or OIDC claim) to Auris roles
  3. Role mappings are applied on every login — if a user is removed from an IdP group, they lose the corresponding Auris role on their next login

Example mapping:

  • IdP group AurisAdmins → Auris role Administrator
  • IdP group AurisViewers → Auris role Viewer

API Endpoints

GET/api/organizations/:orgId/sso/connectionsRequires: view:sso_connections

List all SSO connections for an organization, including connection type, status, and domain associations.

POST/api/organizations/:orgId/sso/connectionsRequires: manage:sso_connections

Create a new SSO connection. Body includes type (saml or oidc), name, and type-specific configuration.

PATCH/api/organizations/:orgId/sso/connections/:idRequires: manage:sso_connections

Update SSO connection configuration or toggle active status.

DELETE/api/organizations/:orgId/sso/connections/:idRequires: manage:sso_connections

Delete an SSO connection. Users who authenticated via this connection retain their accounts but lose the SSO login method.

POST/api/organizations/:orgId/sso/domainsRequires: manage:sso_connections

Add a domain to an organization for SSO detection. Initiates the DNS verification process.

POST/api/organizations/:orgId/sso/domains/:domainId/checkRequires: manage:sso_connections

Trigger DNS TXT record verification for a pending domain.


Security Considerations

SAML signature verification — Auris validates SAML assertions using the IdP’s signing certificate. Unsigned or improperly signed assertions are rejected.

OIDC state and nonce — The OIDC flow uses a state parameter for CSRF protection and a nonce claim to prevent token replay.

Domain takeover protection — A verified domain can only be claimed by one organization per tenant. Re-verification after domain transfer requires explicit admin action.

Bypass prevention — Once a domain is verified and SSO is active, users with that email domain are directed to the SSO flow. They cannot bypass SSO and log in with a password unless the connection is deactivated.

If you deactivate an SSO connection for a domain, users from that domain may not be able to log in if their accounts have no password set (JIT-provisioned accounts have no password by default). Ensure users have an alternative login method before deactivating a connection.