Enterprise SSO

Any identity provider.
Zero friction.

SAML 2.0, OIDC, LDAP/AD — configured from your dashboard in minutes. Domain routing auto-detects the right IdP. JIT provisioning creates users on first login. Per-org SSO for B2B.

SSO shouldn't block enterprise deals

Without AuthFI

  • "We need SSO" — 3 months of engineering
  • Build SAML SP from scratch, debug XML signatures
  • Another customer needs OIDC — rebuild everything
  • LDAP customer appears — hire a contractor
  • Auth0 SSO add-on: $150+/connection/month

With AuthFI

  • "We need SSO" — configured in 10 minutes
  • SAML, OIDC, LDAP — all supported, same dashboard
  • Upload metadata, map attributes, test, done
  • JIT provisioning creates users on first login
  • SSO connections included in Pro plan ($149/mo)

Three protocols. Every IdP covered.

SAML 2.0 for enterprise, OIDC for modern identity, LDAP for on-prem. Each configured from the same dashboard.

🔐

SAML 2.0

The enterprise standard. Upload IdP metadata XML, AuthFI handles assertion parsing, signature validation, and attribute mapping.

Setup steps
  1. 1 Upload IdP metadata XML (or URL)
  2. 2 Map attributes: email, name, groups
  3. 3 Configure domain routing
  4. 4 Test with IdP-initiated or SP-initiated flow
Works with
Okta OktaAzure AD Azure ADGoogle Workspace Google Workspace OneLogin PingIdentity Any SAML IdP
🌐

OIDC

Modern OpenID Connect. Provide a discovery URL and client credentials. AuthFI handles the authorization code flow with PKCE.

Setup steps
  1. 1 Enter discovery URL (.well-known/openid-configuration)
  2. 2 Set client ID and secret
  3. 3 Map claims to AuthFI attributes
  4. 4 Test login flow
Works with
Azure AD (Entra) Azure AD (Entra)Okta OktaAuth0 Auth0Keycloak Keycloak Any OIDC Provider
🏢

LDAP / Active Directory

On-prem directory integration. Bind to LDAP, search for users, validate credentials. Supports LDAPS for encrypted connections.

Setup steps
  1. 1 Configure host, port, base DN
  2. 2 Set bind credentials
  3. 3 Define user search filter
  4. 4 Map LDAP attributes to AuthFI fields
Works with
Active Directory Active Directory OpenLDAP FreeIPA 389 Directory Server

Domain routing — automatic IdP detection

User enters their email. AuthFI reads the domain. Redirects to the right identity provider. No dropdown. No confusion. Just type your email.

Step 1 — user enters email
Email
alice@acme.com
Step 2 — AuthFI routes by domain
alice@acme.com
Acme's Okta SAML
bob@stark.com
Stark's Azure AD OIDC
carol@legacy.corp
On-prem AD LDAP
dave@gmail.com
Google social login OAuth
eve@yahoo.com
Email / password Local
Step 3 — same JWT, regardless of IdP
{ sub: "user-uuid", email: "alice@acme.com",
  roles: ["admin"], groups: ["engineering"],
  sso_provider: "okta", sso_protocol: "saml" }

// Your app doesn't care which IdP. Same JWT shape always.

Configure SSO in 3 steps

No code changes. No SAML libraries. No XML debugging. Dashboard + test + done.

1

Upload metadata

Paste IdP metadata XML, or enter an OIDC discovery URL, or configure LDAP connection.

SAML: Upload IdP metadata XML
  EntityID: https://acme.okta.com/app/xxx
  SSO URL:  https://acme.okta.com/app/xxx/sso/saml
  Cert:     ✓ X.509 parsed

OIDC: Enter discovery URL
  https://login.microsoftonline.com/xxx/.well-known/openid-configuration
   Endpoints auto-discovered
2

Configure domain routing

Map email domains to this SSO connection. Multiple domains per connection.

Domain routing:
  acme.com       → This SSO connection
  acme.io        → This SSO connection
  acme-corp.com  → This SSO connection

Attribute mapping:
  email      ← NameID
  name       ← displayName
  groups     ← memberOf
3

Test and activate

One-click test login. See the full SAML assertion or OIDC claims. Then activate.

Test login result:

SAML assertion received (valid signature)
User identified: alice@acme.com
Attributes mapped: name, groups
JIT user created in AuthFI
JWT issued with roles + permissions

Connection active. Users from @acme.com will be routed here.

Just-in-time provisioning

First SSO login auto-creates the user. Maps IdP attributes to AuthFI profile. Assigns groups and roles automatically. No admin intervention.

1 User logs in via SSO for the first time

alice@acme.com authenticates with Okta. AuthFI receives the SAML assertion.

2 User account created

AuthFI creates a user record from IdP attributes. Email verified automatically (IdP is the authority).

3 Groups mapped to roles

IdP group "Engineering" maps to AuthFI group "engineering". Group roles and permissions apply immediately.

4 JWT issued — user is in

Full JWT with identity, roles, permissions, groups. User accesses your app with correct permissions from minute one.

Attribute mapping

IdP attributes are mapped to AuthFI fields on every login.

FROM IdPTO AUTHFIEXAMPLE
NameID / subemailalice@acme.com
displayNamenameAlice Chen
memberOf / groupsgroups["engineering", "devops"]
departmentmetadata{ "dept": "Engineering" }
jobTitlemetadata{ "title": "Staff Engineer" }

Per-org SSO — different IdPs for different customers

For B2B SaaS: each of your customers (organizations) configures their own SSO provider. Your app code doesn't change at all.

MH

Memorial Hospital

ProtocolSAML 2.0
IdPOkta Okta
Domainmemorial-hospital.com
Users250 staff
MFARequired
CC

City Clinic

ProtocolOIDC
IdPEntra ID Azure AD (Entra)
Domaincityclinic.com
Users40 staff
MFAOptional
RL

Rural Labs

ProtocolLDAP
IdPOn-prem Active Directory
Domainrurallabs.org
Users15 staff
MFADisabled
Your SaaS: acme-health // Same login page. Same app code. Different IdPs per customer. alice@memorial-hospital.com → Okta SAML → JWT (org: memorial) bob@cityclinic.com → Azure OIDC → JWT (org: cityclinic) carol@rurallabs.org → LDAP bind → JWT (org: rurallabs) // All JWTs include org_id + org_slug. Your app reads org_id from JWT. // Zero code changes between orgs. Zero SSO code at all.

What happens under the hood

The full SSO flow from email input to JWT — no code needed from your side.

SSO flow (SAML example): User enters: alice@acme.com │ ▼ AuthFI checks domain routing → acme.com maps to Okta SAML connection │ ▼ Redirect to Okta (SAML AuthnRequest) → user authenticates at their company IdP │ ▼ Okta POSTs SAML Response to AuthFI │ ├── Validate XML signature ├── Check assertion conditions (audience, time) ├── Extract attributes (email, name, groups) ├── Create or update user (JIT provisioning) ├── Map groups → roles → permissions │ ▼ JWT issued → redirect back to your app → user is authenticated with full RBAC

SSO + SCIM = complete lifecycle

SSO handles authentication. SCIM handles provisioning. Together, they manage the full user lifecycle — from first login to offboarding.

SSO (authentication)

  • User authenticates against their IdP
  • JIT creates user on first login
  • Profile synced on every login
  • Session managed by AuthFI

SCIM (provisioning)

  • IdP pushes user create/update/delete
  • Users pre-provisioned before first login
  • Deprovisioned users blocked immediately
  • Group membership synced in real-time

Related features

Authentication

Email, social, MFA, magic links — the foundation SSO builds on

Directory & RBAC

SCIM sync from Entra ID — users and groups auto-provision

White-Label

Custom domains and branding for each org's SSO experience

Available on Starter and above. See pricing →

One platform. Every identity layer.
Free to start.

Free for 5,000 users. Upgrade when you're ready.

Start building free →

Startups and enterprises get 1 year free →