SSO / SAML Single Sign-On
Configure SAML 2.0 SSO with your Identity Provider. Supports Okta, Azure AD, Google Workspace, OneLogin, and any SAML 2.0 IdP.
SSO / SAML Single Sign-On
AegisRunner supports SAML 2.0-based Single Sign-On. Team members log in using your corporate Identity Provider.
How It Works
AegisRunner acts as a SAML Service Provider (SP). The flow is SP-initiated: users click "Sign in with SSO", enter their org slug, and are redirected to your IdP.
Setup Steps
Step 1: Get SP Details
From Settings → SSO, copy your SP Entity ID, ACS URL, and Metadata URL.
Step 2: Create SAML App in Your IdP
| IdP Field | Value |
|---|---|
| SP Entity ID | https://api.aegisrunner.com/saml/your-org-slug |
| ACS URL | https://api.aegisrunner.com/api/v1/auth/saml/your-org-slug/acs |
| NameID Format | emailAddress |
Step 3: Configure in AegisRunner
Enter your IdP Entity ID, SSO URL, and X.509 certificate (PEM format). Certificate is encrypted with AES-256 at rest.
Step 4: Policy
| Setting | Default | Description |
|---|---|---|
| Enforce SSO | Off | Blocks password/OAuth login for all org members |
| Auto-Provision | On | Auto-creates accounts for new SSO users |
| Default Role | Member | Role for auto-provisioned users |
| Allowed Domains | All | Restrict by email domain |
JIT Provisioning
When enabled, new users authenticating via SSO are automatically added to your org. Disable to require manual invitation first.
Enforce SSO
When enabled, password and OAuth login are blocked. Only SSO works.
Supported IdPs
Okta, Microsoft Entra ID (Azure AD), Google Workspace, OneLogin, JumpCloud, Ping Identity, Auth0, Keycloak, AD FS — any SAML 2.0 provider.
Troubleshooting
| Error | Fix |
|---|---|
| Signature verification failed | Re-upload the IdP certificate |
| Issuer mismatch | Verify IdP Entity ID matches exactly |
| No email in response | Set NameID format to emailAddress |
| Domain not allowed | Add domain to Allowed Domains or clear the field |
| Account not found | Enable Auto-Provision or invite user manually |