Skip to Content
GuidesOrganizationsEnterprise SSO

Enterprise SSO per Organization

Enterprise Single Sign-On (SSO) allows each organization in Auris to delegate authentication to their own corporate identity provider. When a user logs in with an email address belonging to a verified domain, Auris automatically redirects them to their organization’s IdP instead of presenting the standard username/password form. After successful authentication at the IdP, the user is returned to Auris and either matched to an existing account or provisioned automatically via just-in-time (JIT) user creation.

This feature is designed for B2B SaaS products where enterprise customers require their employees to authenticate exclusively through company-managed credentials.


Supported Protocols

Auris supports two SSO protocols, both implemented via Keycloak’s identity broker functionality:

SAML 2.0 — Security Assertion Markup Language. Used by enterprise IdPs including Microsoft Azure AD (Entra ID), Okta, ADFS, Ping Identity, and Shibboleth. SAML uses XML-based assertions signed with X.509 certificates.

OIDC (OpenID Connect) — A modern identity layer on top of OAuth 2.0. Used by Google Workspace, Okta (as an OIDC provider), Microsoft Azure AD (also supports OIDC), and any OAuth 2.0 Authorization Server with an OIDC discovery endpoint.


Domain Verification

Before an SSO connection can be activated, the organization must prove ownership of the email domain. This prevents an organization from intercepting logins for a domain they do not own.

Verification uses a DNS TXT record:

  1. Auris generates a unique verification token for the domain.
  2. The organization’s DNS administrator creates a TXT record: _auris-verify.domain.com with the token as the value.
  3. An admin clicks “Verify” in the Console (or calls the verify API).
  4. Auris performs a DNS lookup for the TXT record and confirms the token matches.
POST/api/organizations/[orgId]/sso/domainsRequires: manage:sso_connections

Add a domain to verify for SSO. Returns the verification token to add to DNS.

{ "domain": "acme.com" }

Response:

{ "id": "dom_01HX...", "domain": "acme.com", "verificationToken": "auris-verify=a1b2c3d4e5f6...", "verificationMethod": "TXT", "status": "PENDING" }

DNS record to create:

_auris-verify.acme.com TXT "auris-verify=a1b2c3d4e5f6..."
POST/api/organizations/[orgId]/sso/domains/[domainId]/checkRequires: manage:sso_connections

Triggers a DNS verification check. Returns the updated domain status: PENDING, ACTIVE, or FAILED.

DNS propagation can take up to 48 hours, though most changes propagate within a few minutes. If verification fails immediately after adding the record, wait a few minutes and try again.


SAML 2.0 Setup

Obtain IdP metadata

From your customer’s IdP, retrieve either:

  • A Metadata URL — a URL that serves the IdP’s SAML metadata XML (preferred, as it auto-refreshes certificates)
  • A Metadata XML file — a downloaded copy of the metadata

The metadata contains the Entity ID, SSO URL, and signing certificate.

Create the SSO connection

POST/api/organizations/[orgId]/sso/connectionsRequires: manage:sso_connections

Creates a new SSO connection for the organization.

{ "type": "SAML", "name": "Acme Azure AD", "config": { "entityId": "https://sts.windows.net/tenant-id-here/", "ssoUrl": "https://login.microsoftonline.com/tenant-id/saml2", "certificate": "MIICIjANBgkq...", "signRequests": true, "nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" } }

SAML config fields:

FieldRequiredNotes
entityIdYesThe IdP’s Entity ID from its metadata
ssoUrlYesThe IdP’s SAML SSO endpoint URL
certificateYesThe IdP’s X.509 signing certificate (PEM-encoded, without headers)
signRequestsNoWhether to sign outbound SAML requests (default: true)
nameIdFormatNoPreferred NameID format. Defaults to emailAddress

Configure attribute mapping

Map SAML assertion attributes to Auris user fields:

{ "attributeMapping": { "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "firstName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "lastName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" } }

Provide Auris SP metadata to the IdP

After creating the connection, Auris generates Service Provider (SP) metadata that your customer must register in their IdP:

  • SP Entity ID: https://auth.yourapp.com/saml/org-slug
  • ACS URL (Assertion Consumer Service): https://auth.yourapp.com/saml/org-slug/callback
  • SP Metadata URL: https://auth.yourapp.com/saml/org-slug/metadata

Share the SP Metadata URL with your customer’s IT administrator. Most enterprise IdPs accept a metadata URL directly.

Activate the connection

POST/api/organizations/[orgId]/sso/connections/[id]/activateRequires: manage:sso_connections

Activates the SSO connection. Domain verification must be complete before activation.


OIDC Setup

Obtain OIDC configuration

From the customer’s OIDC provider, you need:

  • Discovery URL (preferred): https://provider.example.com/.well-known/openid-configuration
  • Or manually: Authorization endpoint, Token endpoint, JWKS URI, Client ID, Client Secret

Create the SSO connection

{ "type": "OIDC", "name": "Acme Google Workspace", "config": { "discoveryUrl": "https://accounts.google.com/.well-known/openid-configuration", "clientId": "123456789-abc.apps.googleusercontent.com", "clientSecret": "GOCSPX-...", "scopes": ["openid", "profile", "email"], "pkce": true } }

OIDC config fields:

FieldRequiredNotes
discoveryUrlRecommendedOIDC discovery endpoint. If provided, other endpoints are inferred automatically
authorizationUrlIf no discoveryUrlOAuth2 authorization endpoint
tokenUrlIf no discoveryUrlOAuth2 token endpoint
jwksUrlIf no discoveryUrlJWKS endpoint for token verification
clientIdYesThe OAuth2 client ID registered with the IdP
clientSecretYesThe OAuth2 client secret
scopesNoDefaults to ["openid", "profile", "email"]
pkceNoEnable PKCE for the OIDC flow (recommended, default: true)

Register the Auris redirect URI with the IdP

Provide this redirect URI when registering the Auris application in the customer’s IdP:

https://auth.yourapp.com/oidc/org-slug/callback

Activate the connection

Same as SAML — domain verification must complete before activation.


SSO Login Flow

Once an SSO connection is active and a domain is verified, the login flow changes for users with matching email addresses:

  1. The user enters their email on the Auris Hosted Login page.
  2. Auris calls the SSO detection endpoint:
POST/api/auth/sso/detect

Accepts an email address and returns the SSO connection details if an active connection exists for the email domain.

{ "email": "[email protected]" }

Response when SSO is configured:

{ "ssoRequired": true, "connectionType": "SAML", "organizationName": "Acme Corporation", "loginUrl": "/api/auth/sso/login/acme-azure-ad" }
  1. Auris redirects the user to the IdP via:
GET/api/auth/sso/login/[alias]

Initiates the SSO flow by redirecting the user to the configured IdP.

  1. The user authenticates at their corporate IdP.

  2. The IdP redirects back to Auris:

POST/api/auth/sso/callback

Receives the SAML assertion or OIDC authorization code. Validates the response, resolves or creates the Auris user, and issues Auris tokens.

  1. Auris issues its own access token and refresh token. From this point, the SSO session is independent — Auris token lifetimes are governed by Auris settings, not the IdP session.

Just-in-Time (JIT) User Provisioning

If a user successfully authenticates at the IdP but does not have an existing Auris account, Auris creates one automatically during the SSO callback. This is called Just-in-Time provisioning.

JIT provisioning creates the user with:

  • Email, firstName, and lastName from the IdP response or SAML assertion
  • Membership in the organization tied to the SSO connection
  • The default role configured for JIT-provisioned users (configurable per connection, defaults to MEMBER)

The user’s account persists after the first login — subsequent logins resolve to the same account.

JIT provisioning creates users in the MEMBER role by default. If your application requires elevated roles for some users, use SCIM provisioning in addition to SSO to pre-provision users with the correct roles before their first login.


Multiple SSO Connections per Organization

An organization can have multiple active SSO connections — for example, SAML for an Azure AD deployment and OIDC for a subset of users on Google Workspace.

The SSO detection endpoint matches based on the verified email domain. If multiple connections share the same domain, the most recently activated connection takes precedence. In practice, each SSO connection should be associated with distinct verified domains to avoid ambiguity.


Managing SSO Connections

GET/api/organizations/[orgId]/sso/connectionsRequires: view:sso_connections

List all SSO connections for an organization.

GET/api/organizations/[orgId]/sso/connections/[id]Requires: view:sso_connections

Get a specific SSO connection with its current status and configuration.

PATCH/api/organizations/[orgId]/sso/connections/[id]Requires: manage:sso_connections

Update an SSO connection. You can update config fields, the name, or attribute mappings without deactivating the connection.

POST/api/organizations/[orgId]/sso/connections/[id]/deactivateRequires: manage:sso_connections

Deactivates the SSO connection. Users with matching email domains will no longer be redirected to the IdP. They fall back to standard Auris authentication.

DELETE/api/organizations/[orgId]/sso/connections/[id]Requires: manage:sso_connections

Permanently deletes the SSO connection. Existing user accounts created via JIT provisioning are not deleted.


Console Walkthrough

SSO management is available on the Organization detail page in the Admin Console, under the “Enterprise SSO” tab.

Adding a SAML connection:

  1. Navigate to Admin Console → Organizations → [Org name] → Enterprise SSO.
  2. Click “Add SSO Connection”. Select SAML 2.0.
  3. Enter the IdP metadata URL or paste the XML.
  4. Review the parsed configuration (Entity ID, SSO URL, certificate).
  5. Save. The connection is created in an inactive state.
  6. Navigate to the “Domains” tab and add the organization’s email domain.
  7. Add the DNS TXT record and click “Verify Domain”.
  8. Once the domain is verified, return to the SSO tab and click “Activate”.

Adding an OIDC connection:

Same flow, but the form requests Discovery URL, Client ID, and Client Secret. Auris fetches the discovery document automatically and populates the remaining fields.


Required Permissions

OperationPermission
View SSO connectionsview:sso_connections
Create / update / delete SSO connectionsmanage:sso_connections
Manage domain verificationmanage:sso_connections