Enterprise single sign-on lets users authenticate through their organization's identity provider (IdP). Authdog supports SAML 2.0 and OpenID Connect (OIDC), then routes users to an active connection by configured email domain.
First-class choices include Okta and JumpCloud over SAML; Microsoft Entra ID and BeyondTrust over OIDC; and Ping Identity over SAML in the current provider catalog. Generic SAML 2.0 and OpenID Connect connectors are also available.
Create a connection
In the Authdog console:
- Select the target project and environment.
- Open Authentication → Providers.
- Filter to Enterprise.
- Choose the vendor or generic protocol connector.
- Copy Authdog's displayed service-provider values into the IdP.
- Enter the IdP values in Authdog.
- Add the email domains that should discover this connection.
- Save, then use Test before inviting users.
Enterprise providers can have multiple connections in one environment. Give each a clear connection name and non-overlapping discovery domains.
Configure SAML
Authdog displays:
- SP-initiated sign-in URL
- ACS / Reply URL
- SP Entity ID / audience
- Downloadable SP metadata XML
Configure those exact values in the IdP. Then provide Authdog with:
- IdP SSO URL
- IdP X.509 signing certificate
- Connection name
You can import IdP metadata from a URL or paste metadata XML. Import fills available SSO URL, certificate, entity ID, and logout URL fields; it runs only when you select Fetch or Parse & autofill.
Optional controls include logout, login hints, signed requests, protocol binding, and request template. Prefer RSA-SHA256 and SHA-256 when request signing is required; SHA-1 options exist only for compatibility with older IdPs.
Configure OIDC
Authdog displays the redirect / callback URL to register at the IdP. For an external provider, enter:
- Connection name
- OIDC discovery URL
- Client ID
- Client secret
The current first-class OIDC vendors use this external-provider configuration. Authdog also supports an internal mode that selects an OIDC client already registered in the environment.
Use the exact discovery document URL and callback URL. A base issuer URL that does not serve the expected discovery document will not configure the connection correctly.
Route users by email domain
In Email domains (for SSO discovery), enter one or more domains separated by commas, for example:
acme.com, eu.acme.comAn entry matches the exact email domain and its subdomains. For example, acme.com also matches eu.acme.com. Only active enterprise connections participate in discovery.
Avoid overlapping entries across connections. Resolution uses the first active matching connection returned for the environment, so overlaps can route users unpredictably.
Test before rollout
- Use the connection's Test action.
- Test SP-initiated sign-in.
- Confirm the IdP sends the expected stable subject and email claims.
- Exercise MFA and conditional-access rules at the IdP.
- Test logout only if you enabled it.
- Test through the Account Portal or your embedded sign-in UI with a discovery-domain address.
- Repeat in production with production URLs and credentials.
Security guidance
- Pin SAML trust to the IdP certificate supplied through metadata or secure administrator exchange.
- Track SAML certificate expiry and rotate before the IdP removes the old certificate.
- Use HTTPS discovery, SSO, logout, and callback URLs.
- Store OIDC client secrets only in Authdog and the IdP; never browser code.
- Keep request signing on SHA-256 algorithms unless an IdP strictly requires legacy SHA-1.
- Verify organization administrators before allowing self-service setup through the Admin Portal.
- Keep a recovery sign-in path while testing policy changes so a bad IdP configuration does not lock out operators.
Operational notes
- Changing a custom domain can change the callback URL. Update the IdP allowlist with the URL currently shown in the connection form.
- Metadata import does not automatically refresh later. Review IdP metadata and certificates during rotations.
- Removing a connection schedules it for deletion; verify another sign-in method works first.
- Missing SAML SSO URL or certificate is rejected. OIDC connections require client credentials and a discovery/issuer URL.
- Copy connection ID from Configured when support or audit work needs an unambiguous identifier.
Related
- Admin Portal — customer-admin self-service setup links
- Account Portal — end-user hosted sign-in
- Authentication — connection and session model
- Organizations — customer organization model
- Provisioning — SCIM and directory lifecycle
- Custom domains — callback hostname setup
- Security — session and federation security