Enterprise SSO

SecureAuth Connect enterprise SSO lets users sign in with their company identity provider (IdP) using OIDC or SAML. Users authenticate once through their existing IdP and access all applications in the workspace without reauthenticating.

SecureAuth Connect acts as a broker between your applications and the enterprise IdP. It handles the protocol handshake, normalizes user attributes into a common authentication context, and issues tokens to your applications.

Use cases

Enterprise SSO fits when your users already have identities managed by an external provider.

• B2B partner access: Each customer organization brings their own IdP (Okta, Azure AD, etc.). SecureAuth Connect federates authentication so partners sign in with their corporate credentials.
• Workforce access: Employees sign in with their company directory (Active Directory, Microsoft Entra ID). No separate credentials to manage.
• Migration: Organizations moving from a legacy IdP can federate through SecureAuth Connect while transitioning users, avoiding a disruptive cutover.
• Multi-IdP environments: Different user populations authenticate through different providers. SecureAuth Connect normalizes the identity regardless of which IdP the user comes from.

Enterprise SSO is not the best fit for consumer-facing applications where users don't have a corporate IdP. Use social login or password for those scenarios.

Supported protocols

Protocol	Description	When to use
OIDC	Modern token-based protocol. SecureAuth Connect obtains an ID token and user info after the user authenticates with the external provider.	Most modern IdPs (Okta, Azure AD, Auth0, Keycloak). Preferred for new integrations.
SAML	XML-based assertion protocol. SecureAuth Connect receives a SAML assertion after the user authenticates with the external provider.	Legacy IdPs or enterprise environments that require SAML.

Supported enterprise providers

OIDC providers

Native integrations with dedicated templates:

• Auth0
• AWS Cognito
• Microsoft Entra ID (Azure AD)
• Azure AD B2C
• Entrust
• Google Workspace
• Okta

Connect any OIDC-compliant provider using the generic template:

• Generic OIDC provider
• Generic OAuth2 provider

Providers like Keycloak and OneLogin work through the generic OIDC template.

SAML providers

• Okta
• Microsoft Entra ID (Azure AD)
• Generic SAML provider — connect any SAML-compliant provider

Custom providers

For identity providers that are not OIDC or SAML compliant:

• Custom identity source
• External datastore provider

How enterprise SSO works

1. A user accesses your application and is redirected to SecureAuth Connect.
2. SecureAuth Connect identifies the correct IdP using IdP Routing (domain-based, custom routing, or manual selection).
3. The user authenticates with their enterprise IdP.
4. The IdP returns an assertion (SAML) or tokens (OIDC) to SecureAuth Connect.
5. SecureAuth Connect normalizes the user attributes into a common authentication context.
6. SecureAuth Connect issues tokens to your application.

SecureAuth Connect does not store tokens or assertions from external providers after the authentication context is created.

Enable SSO sessions

After configuring an enterprise IdP, enable persistent sessions so users authenticate once and access all workspace applications:

1. Go to Authentication > Settings > Persistence.

2. Select Persistent Session (SSO mode).

3. Configure session settings:

   Setting	Description
   Session Max Age	Time after which the session expires, requiring reauthentication.
   Session Max Idle Time	Time after which an inactive session expires.
   SSO cookie domain	Domain for the SSO cookie. Set to .company.com to enable SSO across subdomains.

For detailed configuration, see Enable SSO.

See also

• Enable SSO
• IdP Routing
• Social login
• Adaptive authentication