SSO setup (SAML & OIDC)

• Your plan includes SSO (Business and Enterprise tiers by default).
• You are tenant-owner or tenant-admin.
• You have IdP admin access. For SAML you need metadata XML or the IdP-issued URL.

1. Open /settings/sso and click "Add SAML provider".
2. Copy the ACS URL and Entity ID into your IdP application config.
3. Upload your IdP metadata XML, or paste the metadata URL.
4. Map SAML attributes: NameID → email; FirstName, LastName, and optionally Groups.
5. Enable JIT (just-in-time) provisioning if you want users auto-created on first SSO login.
6. Click Test — sign in as yourself through the IdP. Successful login switches the provider status to Verified.
7. Toggle "Require SSO for all users" once you have verified at least one production user can log in.

1. Open /settings/sso and click "Add OIDC provider".
2. Copy the redirect URI into your IdP.
3. Paste your IdP issuer URL, client ID, and client secret.
4. Scope claim mapping defaults: sub → id, email → email, name → display name, groups → group-to-role map.
5. Test the connection. If it reports "groups claim missing", check your IdP includes groups in the ID token.

SSO groups can auto-assign roles. Add a rule like "acme-qehs-admins → tenant-admin" and every SSO login whose groups claim contains that ID is granted the role. Rules compose — a user in three matching groups gets the highest role.