Enterprise SSO
Route teammates through your identity provider — OIDC authorization code + PKCE on Team and Enterprise plans. No vendor-specific SDKs required.
Shipped: CP-6.1 — domain verification, OIDC config API, and email-domain SSO discovery on sign-in. SCIM provisioning is on the roadmap.
Plan requirement
SSO requires Team or Enterprise plan. Pro and trial accounts use Google OAuth and email OTP for console access — API keys remain separate from SSO sessions.
Supported identity providers
Any OIDC-compliant IdP works. Console setup wizards include templates for:
- Okta
- Auth0
- Microsoft Entra ID (Azure AD)
- Google Workspace (OIDC)
- OneLogin
- PingIdentity
SAML bridges through your IdP’s OIDC app integration are supported; native SAML SP is not required for most enterprises.
Setup workflow
-
Verify your email domain
Org owner adds a DNS TXT challenge via
POST /api/orgs/{orgId}/domains. Verify withPOST …/domains/{domain}/verify. -
Create OIDC app in your IdP
Set redirect URI to
https://driftguard.org/api/auth/oidc/callback(or your custom domain). -
Configure org SSO
Paste issuer URL, client ID, and client secret in ConsoleSettingsSSO or via API:
PUT /api/orgs/{orgId}/sso { "enabled": true, "issuer": "https://your-idp.example.com", "clientId": "…", "clientSecret": "…" } -
Test sign-in
Users with verified domain emails see Enterprise SSO on the sign-in page. Direct start URL:
GET /api/orgs/{orgId}/sso/start?email=user@acme.test
Email-domain discovery
When a user enters user@acme.test on sign-in, DriftGuard checks verified domains and returns an SSO start URL if the org has SSO enabled. No password is stored for SSO-only orgs.
Who can configure SSO
Requires sso:manage permission — granted to owner role by default. See RBAC.
SCIM (roadmap)
Automated user provisioning and deprovisioning via SCIM 2.0 is planned for Enterprise. Until then, invite teammates via POST /api/orgs/{orgId}/invites or console Team panel.
Related
- RBAC & roles
- API keys — separate from SSO sessions
- Audit logs
- Team plan