01
1. Collect IdP metadata
- SAML: entity id, SSO URL, base64 X.509 cert (PEM). Get them from your IdP admin UI (Okta, Azure AD, Google Workspace).
- OIDC: issuer URL, client id, client secret. The client secret is write-only on our API — store the original in a vault.
- Optional: pick an enforced_domain (e.g. acme.com) so logins from that email domain are required to use SSO.
02
2. Save and verify
- Open /settings/sso → pick the protocol → paste the fields → Save. Page returns the stored fingerprint so you can confirm the cert.
- Status today is metadata storage only — the actual SAML / OIDC login flow is a separate wave (see SSO concept).
- Disable: hit Remove. The endpoint is not plan-gated so a downgraded tenant can still tear it down.