Enterprise SSO
Auris enables enterprise customers to authenticate using their existing corporate identity provider (IdP) — Azure Active Directory, Okta, Google Workspace, OneLogin, PingIdentity, or any SAML 2.0 or OIDC-compliant IdP.
SSO connections are scoped to organizations. Each organization in Auris can have one or more SSO connections, and the appropriate connection is detected automatically by the user’s email domain.
Overview
When a user with an email matching a verified domain attempts to sign in, Auris:
- Detects the SSO connection via the email domain
- Redirects the user to the corporate IdP login page
- Receives the SAML assertion or OIDC token from the IdP
- Maps IdP user attributes to Auris user fields
- Provisions the user account in Auris if it does not exist (JIT provisioning)
- Issues an Auris access token and refresh token
From your application’s perspective, the flow is identical to any other Auris login — you use the same SDK, the same callback URL, and receive the same token format.
SAML 2.0 Setup
Create an organization
Enterprise SSO connections are attached to organizations. If you have not already created an organization for the enterprise customer, go to Console → Organizations → Create Organization.
Open SSO configuration
Navigate to the organization’s detail page → Enterprise SSO tab → Add Connection → SAML 2.0.
Configure your SAML IdP
In your IdP’s admin interface, create a new SAML application. You will need the following Auris values (displayed in the Console after selecting SAML 2.0):
| Field | Value |
|---|---|
| Entity ID (Audience URI) | https://auth.yourdomain.com/saml/{connectionId} |
| ACS URL (Reply URL) | https://auth.yourdomain.com/api/auth/sso/callback/{connectionId} |
| Name ID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Enter IdP metadata in Auris Console
From your IdP, obtain:
- Metadata URL or Metadata XML — Auris uses this to extract the IdP entity ID, SSO URL, and signing certificate
- Or enter the SSO URL, Entity ID, and Certificate manually
Configure attribute mapping
Map SAML attributes to Auris user fields. Common mappings:
| Auris Field | Common SAML Attribute |
|---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress or email | |
| First Name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname or firstName |
| Last Name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname or lastName |
| Username | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Activate the connection
Click Activate. The connection status changes to Active. Test by clicking Test Connection, which opens the IdP login page in a new tab.
OIDC Provider Setup
Open SSO configuration
Navigate to the organization’s detail page → Enterprise SSO tab → Add Connection → OIDC.
Register Auris in your OIDC Provider
In your IdP (e.g., Azure AD, Okta, Auth0, Google Workspace), register a new OIDC application:
- Redirect URI:
https://auth.yourdomain.com/api/auth/sso/callback/{connectionId} - Grant Type: Authorization Code
- Token Endpoint Auth Method:
client_secret_post
Copy the Client ID and Client Secret.
Enter OIDC configuration in Auris Console
Enter either:
- Discovery URL (recommended): the OIDC
.well-known/openid-configurationURL for your IdP — Auris fetches all endpoint URLs automatically - Or individual fields: Authorization Endpoint, Token Endpoint, Userinfo Endpoint, JWKS URI
Enter the Client ID and Client Secret from the previous step.
Configure scopes
The default scopes openid profile email are sufficient for most deployments. Add custom scopes if your IdP requires them to release additional attributes.
Activate and test
Click Activate, then Test Connection to verify the flow end-to-end.
Domain Verification
For SSO detection to work, you must verify ownership of the email domain(s) used by the organization’s members.
Add a domain
In the organization’s Enterprise SSO tab → Domains → Add Domain. Enter the domain (e.g., acme.com).
Add the DNS TXT record
Auris generates a verification token. Add a TXT record to your domain’s DNS:
Type: TXT
Name: _auris-verify.acme.com
Value: auris-verify=abc123xyz456...Trigger verification
After adding the DNS record, click Verify in the Console. Auris performs a DNS TXT record lookup and marks the domain as verified.
DNS propagation can take up to 48 hours, though it is typically under 5 minutes for most providers.
A single domain can only be verified for one organization across a tenant. Attempting to verify an already-claimed domain returns an error.
SSO Detection
Auris automatically detects SSO availability when a user enters their email on the hosted login page. The detection flow is also available as an API call for custom login UIs:
/api/auth/sso/detectCheck whether SSO is configured for an email domain. Body: { email: string }. Returns { ssoEnabled: boolean, connectionAlias?: string, provider?: 'saml' | 'oidc' }.
// Custom login UI: check for SSO before showing the password field
async function checkSso(email) {
const domain = email.split('@')[1]
const response = await fetch('/api/auth/sso/detect', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email }),
})
const data = await response.json()
if (data.ssoEnabled) {
// Redirect to SSO — skip the password field
window.location.href = `/api/auth/sso/login/${data.connectionAlias}`
} else {
// Show password field
showPasswordField()
}
}JIT Provisioning
Just-in-time provisioning automatically creates a new Auris user account the first time an SSO user authenticates. This eliminates the need to pre-create accounts or synchronize user lists manually.
On first SSO login:
- Auris creates a user account with the attributes mapped from the SAML assertion or OIDC token
- The user is assigned any default roles configured for the organization
- A
user.createdaudit log event is recorded withsource: 'sso_jit'
On subsequent SSO logins:
- Auris updates the user’s attributes from the IdP (name, email) if they have changed
- Role assignments from previous sessions are preserved
- A
user.loginaudit log event is recorded
To disable JIT provisioning: Toggle JIT Provisioning off in the SSO connection settings. With JIT disabled, users must be pre-created in Auris (manually or via SCIM) before they can use SSO.
Role Mapping
By default, SSO users receive no roles in Auris. You can configure automatic role assignment based on IdP group membership:
- In the SSO connection settings → Role Mapping tab
- Map IdP group values (from a
groupsSAML attribute or OIDC claim) to Auris roles - Role mappings are applied on every login — if a user is removed from an IdP group, they lose the corresponding Auris role on their next login
Example mapping:
- IdP group
AurisAdmins→ Auris roleAdministrator - IdP group
AurisViewers→ Auris roleViewer
API Endpoints
/api/organizations/:orgId/sso/connectionsRequires: view:sso_connectionsList all SSO connections for an organization, including connection type, status, and domain associations.
/api/organizations/:orgId/sso/connectionsRequires: manage:sso_connectionsCreate a new SSO connection. Body includes type (saml or oidc), name, and type-specific configuration.
/api/organizations/:orgId/sso/connections/:idRequires: manage:sso_connectionsUpdate SSO connection configuration or toggle active status.
/api/organizations/:orgId/sso/connections/:idRequires: manage:sso_connectionsDelete an SSO connection. Users who authenticated via this connection retain their accounts but lose the SSO login method.
/api/organizations/:orgId/sso/domainsRequires: manage:sso_connectionsAdd a domain to an organization for SSO detection. Initiates the DNS verification process.
/api/organizations/:orgId/sso/domains/:domainId/checkRequires: manage:sso_connectionsTrigger DNS TXT record verification for a pending domain.
Security Considerations
SAML signature verification — Auris validates SAML assertions using the IdP’s signing certificate. Unsigned or improperly signed assertions are rejected.
OIDC state and nonce — The OIDC flow uses a state parameter for CSRF protection and a nonce claim to prevent token replay.
Domain takeover protection — A verified domain can only be claimed by one organization per tenant. Re-verification after domain transfer requires explicit admin action.
Bypass prevention — Once a domain is verified and SSO is active, users with that email domain are directed to the SSO flow. They cannot bypass SSO and log in with a password unless the connection is deactivated.
If you deactivate an SSO connection for a domain, users from that domain may not be able to log in if their accounts have no password set (JIT-provisioned accounts have no password by default). Ensure users have an alternative login method before deactivating a connection.
Related Guides
- Organizations — Setting up organizations for B2B multi-tenancy
- Hosted Login (PKCE) — The OAuth2 flow your application uses (unchanged for SSO)
- User Management — Managing SSO-provisioned user accounts