Enterprise SSO per Organization
Enterprise Single Sign-On (SSO) allows each organization in Auris to delegate authentication to their own corporate identity provider. When a user logs in with an email address belonging to a verified domain, Auris automatically redirects them to their organization’s IdP instead of presenting the standard username/password form. After successful authentication at the IdP, the user is returned to Auris and either matched to an existing account or provisioned automatically via just-in-time (JIT) user creation.
This feature is designed for B2B SaaS products where enterprise customers require their employees to authenticate exclusively through company-managed credentials.
Supported Protocols
Auris supports two SSO protocols, both implemented via Keycloak’s identity broker functionality:
SAML 2.0 — Security Assertion Markup Language. Used by enterprise IdPs including Microsoft Azure AD (Entra ID), Okta, ADFS, Ping Identity, and Shibboleth. SAML uses XML-based assertions signed with X.509 certificates.
OIDC (OpenID Connect) — A modern identity layer on top of OAuth 2.0. Used by Google Workspace, Okta (as an OIDC provider), Microsoft Azure AD (also supports OIDC), and any OAuth 2.0 Authorization Server with an OIDC discovery endpoint.
Domain Verification
Before an SSO connection can be activated, the organization must prove ownership of the email domain. This prevents an organization from intercepting logins for a domain they do not own.
Verification uses a DNS TXT record:
- Auris generates a unique verification token for the domain.
- The organization’s DNS administrator creates a TXT record:
_auris-verify.domain.comwith the token as the value. - An admin clicks “Verify” in the Console (or calls the verify API).
- Auris performs a DNS lookup for the TXT record and confirms the token matches.
/api/organizations/[orgId]/sso/domainsRequires: manage:sso_connectionsAdd a domain to verify for SSO. Returns the verification token to add to DNS.
{
"domain": "acme.com"
}Response:
{
"id": "dom_01HX...",
"domain": "acme.com",
"verificationToken": "auris-verify=a1b2c3d4e5f6...",
"verificationMethod": "TXT",
"status": "PENDING"
}DNS record to create:
_auris-verify.acme.com TXT "auris-verify=a1b2c3d4e5f6..."/api/organizations/[orgId]/sso/domains/[domainId]/checkRequires: manage:sso_connectionsTriggers a DNS verification check. Returns the updated domain status: PENDING, ACTIVE, or FAILED.
DNS propagation can take up to 48 hours, though most changes propagate within a few minutes. If verification fails immediately after adding the record, wait a few minutes and try again.
SAML 2.0 Setup
Obtain IdP metadata
From your customer’s IdP, retrieve either:
- A Metadata URL — a URL that serves the IdP’s SAML metadata XML (preferred, as it auto-refreshes certificates)
- A Metadata XML file — a downloaded copy of the metadata
The metadata contains the Entity ID, SSO URL, and signing certificate.
Create the SSO connection
/api/organizations/[orgId]/sso/connectionsRequires: manage:sso_connectionsCreates a new SSO connection for the organization.
{
"type": "SAML",
"name": "Acme Azure AD",
"config": {
"entityId": "https://sts.windows.net/tenant-id-here/",
"ssoUrl": "https://login.microsoftonline.com/tenant-id/saml2",
"certificate": "MIICIjANBgkq...",
"signRequests": true,
"nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
}
}SAML config fields:
| Field | Required | Notes |
|---|---|---|
entityId | Yes | The IdP’s Entity ID from its metadata |
ssoUrl | Yes | The IdP’s SAML SSO endpoint URL |
certificate | Yes | The IdP’s X.509 signing certificate (PEM-encoded, without headers) |
signRequests | No | Whether to sign outbound SAML requests (default: true) |
nameIdFormat | No | Preferred NameID format. Defaults to emailAddress |
Configure attribute mapping
Map SAML assertion attributes to Auris user fields:
{
"attributeMapping": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"firstName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"lastName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
}
}Provide Auris SP metadata to the IdP
After creating the connection, Auris generates Service Provider (SP) metadata that your customer must register in their IdP:
- SP Entity ID:
https://auth.yourapp.com/saml/org-slug - ACS URL (Assertion Consumer Service):
https://auth.yourapp.com/saml/org-slug/callback - SP Metadata URL:
https://auth.yourapp.com/saml/org-slug/metadata
Share the SP Metadata URL with your customer’s IT administrator. Most enterprise IdPs accept a metadata URL directly.
Activate the connection
/api/organizations/[orgId]/sso/connections/[id]/activateRequires: manage:sso_connectionsActivates the SSO connection. Domain verification must be complete before activation.
OIDC Setup
Obtain OIDC configuration
From the customer’s OIDC provider, you need:
- Discovery URL (preferred):
https://provider.example.com/.well-known/openid-configuration - Or manually: Authorization endpoint, Token endpoint, JWKS URI, Client ID, Client Secret
Create the SSO connection
{
"type": "OIDC",
"name": "Acme Google Workspace",
"config": {
"discoveryUrl": "https://accounts.google.com/.well-known/openid-configuration",
"clientId": "123456789-abc.apps.googleusercontent.com",
"clientSecret": "GOCSPX-...",
"scopes": ["openid", "profile", "email"],
"pkce": true
}
}OIDC config fields:
| Field | Required | Notes |
|---|---|---|
discoveryUrl | Recommended | OIDC discovery endpoint. If provided, other endpoints are inferred automatically |
authorizationUrl | If no discoveryUrl | OAuth2 authorization endpoint |
tokenUrl | If no discoveryUrl | OAuth2 token endpoint |
jwksUrl | If no discoveryUrl | JWKS endpoint for token verification |
clientId | Yes | The OAuth2 client ID registered with the IdP |
clientSecret | Yes | The OAuth2 client secret |
scopes | No | Defaults to ["openid", "profile", "email"] |
pkce | No | Enable PKCE for the OIDC flow (recommended, default: true) |
Register the Auris redirect URI with the IdP
Provide this redirect URI when registering the Auris application in the customer’s IdP:
https://auth.yourapp.com/oidc/org-slug/callbackActivate the connection
Same as SAML — domain verification must complete before activation.
SSO Login Flow
Once an SSO connection is active and a domain is verified, the login flow changes for users with matching email addresses:
- The user enters their email on the Auris Hosted Login page.
- Auris calls the SSO detection endpoint:
/api/auth/sso/detectAccepts an email address and returns the SSO connection details if an active connection exists for the email domain.
{ "email": "[email protected]" }Response when SSO is configured:
{
"ssoRequired": true,
"connectionType": "SAML",
"organizationName": "Acme Corporation",
"loginUrl": "/api/auth/sso/login/acme-azure-ad"
}- Auris redirects the user to the IdP via:
/api/auth/sso/login/[alias]Initiates the SSO flow by redirecting the user to the configured IdP.
-
The user authenticates at their corporate IdP.
-
The IdP redirects back to Auris:
/api/auth/sso/callbackReceives the SAML assertion or OIDC authorization code. Validates the response, resolves or creates the Auris user, and issues Auris tokens.
- Auris issues its own access token and refresh token. From this point, the SSO session is independent — Auris token lifetimes are governed by Auris settings, not the IdP session.
Just-in-Time (JIT) User Provisioning
If a user successfully authenticates at the IdP but does not have an existing Auris account, Auris creates one automatically during the SSO callback. This is called Just-in-Time provisioning.
JIT provisioning creates the user with:
- Email, firstName, and lastName from the IdP response or SAML assertion
- Membership in the organization tied to the SSO connection
- The default role configured for JIT-provisioned users (configurable per connection, defaults to MEMBER)
The user’s account persists after the first login — subsequent logins resolve to the same account.
JIT provisioning creates users in the MEMBER role by default. If your application requires elevated roles for some users, use SCIM provisioning in addition to SSO to pre-provision users with the correct roles before their first login.
Multiple SSO Connections per Organization
An organization can have multiple active SSO connections — for example, SAML for an Azure AD deployment and OIDC for a subset of users on Google Workspace.
The SSO detection endpoint matches based on the verified email domain. If multiple connections share the same domain, the most recently activated connection takes precedence. In practice, each SSO connection should be associated with distinct verified domains to avoid ambiguity.
Managing SSO Connections
/api/organizations/[orgId]/sso/connectionsRequires: view:sso_connectionsList all SSO connections for an organization.
/api/organizations/[orgId]/sso/connections/[id]Requires: view:sso_connectionsGet a specific SSO connection with its current status and configuration.
/api/organizations/[orgId]/sso/connections/[id]Requires: manage:sso_connectionsUpdate an SSO connection. You can update config fields, the name, or attribute mappings without deactivating the connection.
/api/organizations/[orgId]/sso/connections/[id]/deactivateRequires: manage:sso_connectionsDeactivates the SSO connection. Users with matching email domains will no longer be redirected to the IdP. They fall back to standard Auris authentication.
/api/organizations/[orgId]/sso/connections/[id]Requires: manage:sso_connectionsPermanently deletes the SSO connection. Existing user accounts created via JIT provisioning are not deleted.
Console Walkthrough
SSO management is available on the Organization detail page in the Admin Console, under the “Enterprise SSO” tab.
Adding a SAML connection:
- Navigate to Admin Console → Organizations → [Org name] → Enterprise SSO.
- Click “Add SSO Connection”. Select SAML 2.0.
- Enter the IdP metadata URL or paste the XML.
- Review the parsed configuration (Entity ID, SSO URL, certificate).
- Save. The connection is created in an inactive state.
- Navigate to the “Domains” tab and add the organization’s email domain.
- Add the DNS TXT record and click “Verify Domain”.
- Once the domain is verified, return to the SSO tab and click “Activate”.
Adding an OIDC connection:
Same flow, but the form requests Discovery URL, Client ID, and Client Secret. Auris fetches the discovery document automatically and populates the remaining fields.
Required Permissions
| Operation | Permission |
|---|---|
| View SSO connections | view:sso_connections |
| Create / update / delete SSO connections | manage:sso_connections |
| Manage domain verification | manage:sso_connections |
Related Pages
- B2B Multi-Tenant Organizations — Organization setup, member roles, and invitations
- SCIM 2.0 Provisioning — Automated user provisioning to complement SSO
- Hosted Login — How the Hosted Login page integrates with SSO detection
- Console: Organizations — Full Console walkthrough