Single Sign-On
Enterprise admin SSO checklist
A tenant-specific admin console (e.g. admin.your-company.com) that must sign in with SSO only — what to configure on your app and on Authio.
Part of Authio Lobby
Use this when you ship a dedicated admin subdomain for one enterprise customer and want Authio Lobby to resolve the org automatically, skip the method picker when Require SSO is on, and land the user back on your BFF callback after the IdP round-trip.
Your app (customer)
- Register the admin origin under Settings → Security → Allowed origins so auth-core accepts credentialed
/v1/auth/refreshfrom your SPA/BFF. - Add the post-login callback under Allowed redirect URIs (exact string, e.g.
https://admin.your-company.com/auth/callback). - Point the sign-in entry at Lobby with
project_idand eitherredirect_urior the legacy aliasreturn_toset to that callback URL. - For SP-initiated flows, use the connection’s initiate URL instead of the hosted picker.
Authio org (dashboard or Management API)
- Create or select the organization and connect an active SSO connection (Microsoft, OIDC, or SAML).
- Add a verified org domain matching the admin host (e.g.
admin.your-company.com). Lobby uses this to mapredirect_uri→ organization whenorganization_idis omitted. - Enable Require SSO on the org policy so Lobby redirects straight to the IdP.
Authio operator (Authio Cloud only)
- For SAML connections, add the callback host to
AUTHIO_SAML_ALLOWED_RELAYSTATE_HOSTSon theauthio_ssoservice. OIDC connections do not use this list — see SP-initiated login URL.
Quick verification:
GET /v1/public/org-sign-in-routing?project_id=proj_…&redirect_uri=https://admin.your-company.com/auth/callback should return require_sso: true and an active sso_connection once the org domain and policy are set.