Single Sign-On
Connecting an identity provider
Authio gives every organization an SSO connection. There are three ways to create one — pick the lowest-friction path the customer's IdP supports.
Part of Authio Lobby
An SSO connection ties one of your customer’s organizations to their identity provider. Every connection has a stable sso_-prefixed id (e.g. sso_2x7q…) and a protocol — either OIDC or SAML. Once a connection is active, the org can sign in through its IdP from the Lobby or via the SP-initiated login URL.
sso_…. Older drafts and examples used a conn_… prefix; that is gone — anywhere you see conn_ it should read sso_.The three ways to connect, in order of preference
1. One-click Microsoft (recommended for Entra ID)
The customer admin clicks Connect Microsoft, approves a single Microsoft admin-consent screen, and Authio uses Microsoft Graph to auto-create the Entra application, service principal, and client secret — then provisions an active OIDC connection automatically. No App registration, no metadata copy-paste, no fields to fill in. This is the fastest path and the one to lead with for any customer on Microsoft Entra ID.
See One-click Microsoft.
2. OIDC (generic / other IdPs)
For any IdP that speaks OpenID Connect (Okta, Auth0, Keycloak, Google, PingFederate, generic OIDC), create a connection with three values: the issuer URL, a client id, and a client secret. Authio does OIDC discovery, runs the authorization-code + PKCE flow, validates the id_token, and stores the client secret encrypted at rest. The only thing the IdP admin copies back is Authio’s redirect (callback) URL.
See OIDC connections.
3. SAML (manual)
For SAML 2.0 IdPs, Authio mints the connection up front and shows the service-provider values — Entity ID and ACS URL — inline with copy buttons, so there is no chicken-and-egg between creating the connection and configuring the IdP. The admin pastes those into the IdP, uploads the IdP metadata back, and the connection goes active.
See SAML connections.
Who drives the setup
- Your customer’s admin, in your dashboard. The org Features tab has a Single Sign-On section with the Connect Microsoft button and the add-connection flow.
- Their IT admin, self-serve. Hand them a one-time link to the SSO Setup Portal, or embed the SSO Connection widget in your own UI. Both mint the connection up front and show the same SP values / consent button.
Operator / self-hosting prerequisite for one-click Microsoft. The one-click flow needs a single multitenant Entra application that you (the Authio operator) register once, with the Microsoft Graph Application.ReadWrite.All application permission. Its credentials are supplied to the SSO service via AUTHIO_MS_PROVISION_CLIENT_ID and AUTHIO_MS_PROVISION_CLIENT_SECRET, and the allowed post-consent return hosts via AUTHIO_MS_CONSENT_RETURN_HOSTS. Until those are set the Connect Microsoft button is unavailable (the management API returns ms_provision_not_configured) and customers fall back to OIDC or SAML. Full operator setup is on the One-click Microsoft page.
Related
- Per-org authentication methods — allow/deny methods per org and turn on Require SSO.
- SP-initiated login URL — send a user straight to their IdP, skipping the method picker.
- SAML attribute mapping — map IdP claims to Authio user fields.
- SSO Setup Portal and the SSO Connection widget.