Enterprise SSO
Connect any identity provider. AuthFI supports SAML 2.0, OIDC federation, and LDAP/Active Directory.
Supported Providers
| Provider | Protocol | Setup |
|---|---|---|
| Okta | SAML 2.0 / OIDC | Upload IdP metadata or discovery URL |
| Azure AD (Entra) | SAML 2.0 / OIDC | Enterprise app registration |
| Google Workspace | SAML 2.0 | Custom SAML app |
| OneLogin | SAML 2.0 | SAML connector |
| PingIdentity | SAML 2.0 / OIDC | Application configuration |
| Active Directory | LDAP | Host, port, base DN, bind credentials |
| Any OIDC provider | OIDC | Discovery URL |
| Any SAML IdP | SAML 2.0 | IdP metadata XML |
SAML 2.0
Create a SAML Connection
curl -X POST https://api.authfi.app/manage/v1/acme/connections
-H "X-API-Key: sk_..."
-d '{
"name": "Okta SSO",
"strategy": "saml",
"is_active": true,
"saml_idp_sso_url": "https://acme.okta.com/app/xxx/sso/saml",
"saml_entity_id": "http://www.okta.com/xxx",
"saml_certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
"saml_name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"attribute_mapping": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
}
}'AuthFI SP Metadata
Each connection gets a metadata endpoint:
GET https://acme.authfi.app/saml/{connId}/metadataUpload this XML to your IdP or use these values:
- Entity ID:
https://acme.authfi.app - ACS URL:
https://acme.authfi.app/auth/saml/{connId}/callback - Name ID Format:
emailAddress
SAML Flow
1. User clicks "Login with Okta"
2. AuthFI redirects to Okta with SAML AuthnRequest
3. User authenticates at Okta
4. Okta POSTs SAML assertion to AuthFI ACS URL
5. AuthFI validates assertion, creates/links user
6. AuthFI issues JWT tokens
7. User is logged inOIDC Federation
curl -X POST https://api.authfi.app/manage/v1/acme/connections
-H "X-API-Key: sk_..."
-d '{
"name": "Azure AD",
"strategy": "oidc",
"is_active": true,
"oidc_discovery_url": "https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration",
"oidc_client_id": "app-registration-id",
"oidc_client_secret": "app-secret",
"oidc_scopes": "openid profile email"
}'LDAP / Active Directory
curl -X POST https://api.authfi.app/manage/v1/acme/connections
-H "X-API-Key: sk_..."
-d '{
"name": "Corporate AD",
"strategy": "ldap",
"is_active": true,
"ldap_host": "ldap.corp.internal",
"ldap_port": 636,
"ldap_use_tls": true,
"ldap_base_dn": "dc=corp,dc=internal",
"ldap_bind_dn": "cn=authfi-svc,ou=ServiceAccounts,dc=corp,dc=internal",
"ldap_bind_password": "...",
"ldap_user_filter": "(sAMAccountName={username})"
}'Domain Routing
Map email domains to connections. When a user enters alice@acme.com, AuthFI automatically redirects to the right IdP.
curl -X PATCH https://api.authfi.app/manage/v1/acme/connections/{connId}
-H "X-API-Key: sk_..."
-d '{ "email_domains": ["acme.com", "acme.io"] }'Multiple domains can point to one connection. The identifier-first flow (POST /auth/login/identify) returns the matched connection for the email domain.
User Provisioning
Just-In-Time (JIT)
When a user logs in via SSO for the first time, AuthFI automatically creates a user account from the SAML/OIDC attributes. No pre-provisioning needed.
SCIM Inbound
For directory sync, configure SCIM on your IdP to push user create/update/delete to:
https://api.authfi.app/scim/v2/acme/Users
Authorization: Bearer <scim-token>See SCIM Provisioning for details.
Group Claims
AuthFI can map IdP group claims to AuthFI groups:
- SAML: Map
groupsattribute → AuthFI groups - OIDC: Map
groupsclaim → AuthFI groups - LDAP: Map AD group membership → AuthFI groups
Groups synced from SSO are used for role assignment, AuthFI Connect mapping, and eBPF access policies.
Plan Availability
| Feature | Build | Ship | Scale |
|---|---|---|---|
| Social login (Google, GitHub) | Yes | Yes | Yes |
| SAML 2.0 | — | Yes | Yes |
| OIDC federation | — | Yes | Yes |
| LDAP / AD | — | Yes | Yes |
| SSO connections | 0 | 5 | Unlimited |
| Domain routing | — | Yes | Yes |
| SCIM inbound | — | Add-on | Yes |