Enterprise Single Sign-On (SSO) configuration

Single Sign‑On (SSO) for Enterprise

Enterprise plan customers can configure SSO using SAML 2.0 or OIDC (OpenID Connect).

Supported SSO providers

• Okta
• Azure AD (Microsoft Entra ID)
• Google Workspace
• Auth0
• Ping Identity
• Any SAML 2.0 or OIDC compliant IdP

SAML 2.0 configuration

1. Go to Company Settings → SSO tab.
2. Select SAML 2.0.
3. Enter your IdP metadata URL or upload metadata XML file.
4. Certorix provides:
   • Entity ID: https://certorix.com/saml/metadata
   • ACS URL: https://certorix.com/saml/acs
   • Name ID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
5. Map attributes:
   • email → SAML attribute (e.g., http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
   • firstName → optional
   • lastName → optional
6. Click Test SAML connection to verify.
7. Save configuration.

OIDC configuration

1. Select OpenID Connect.
2. Enter your Issuer URL (e.g., https://login.microsoftonline.com/{tenant}/v2.0).
3. Enter Client ID and Client Secret from your IdP.
4. Set Authorized redirect URI: https://certorix.com/oidc/callback.
5. Save configuration.

Enforcing SSO for all users

Toggle Require SSO for all logins to ON. When enabled:

• Users cannot log in with email/password.
• Google OAuth is disabled.
• API tokens still work (for automation).
• Admins can still use backup login (email/password) via a special URL (/admin/login) to avoid lockout.

Just‑In‑Time (JIT) provisioning

When enabled, users logging in via SSO for the first time are automatically created in Certorix with the role specified in the SAML/OIDC attribute (role claim).

Default role for new JIT users: Viewer.