Forjinn Docs

Development Platform

Documentation v2.0
Made with
by Forjinn

Sso Configuration

Learn about sso configuration and how to implement it effectively.

3 min read
🆕Recently updated
Last updated: 12/9/2025

SSO Configuration (Single Sign-On)

Properly configuring SSO (Single Sign-On) in InnoSynth-Forjinn allows enterprise teams and organizations to use their existing identity providers (IdPs) for authentication, access control, and compliance. This guide details supported providers, setup steps, best practices, and troubleshooting.

Overview

Single Sign-On lets users log into Forjinn with their work or university accounts (Google, Microsoft, Okta, etc). This centralizes access control, improves security, and supports enterprise policy compliance (SCIM, SAML, OpenID protocols).

Supported Providers

  • OIDC/OAuth2: Google Workspace, Microsoft Azure AD, Okta, Auth0, any OIDC-compatible IdP
  • SAML 2.0: Okta, OneLogin, ADFS, other SAML providers
  • Custom: Bring-Your-Own IdP using standard protocol endpoints

Configuring SSO

UI Configuration

  1. Go to Settings → Authentication/SSO in the admin panel.
  2. Click Add Provider and select your IdP type (Google, Azure, SAML, Generic OIDC).
  3. Fill in required fields:
    • Client ID & Secret (OAuth/OIDC)
    • Discovery URL/Metadata URL (OIDC/SAML)
    • Audience/Entity ID (SAML)
    • Callback URL (auto-generated; register in your IdP)
    • Scopes: e.g., openid email profile
  4. (Optional) Map IdP group/role claims to platform user roles for access control.

IdP-side Setup

  • Register a new application in your Identity Provider.
  • Paste platform's callback URL and set allowed origins.
  • Download/copy metadata XML or endpoint details as required.
  • Add users/groups to the app as needed.

Finalize & Test

  • Save provider in Forjinn settings.
  • Test login: Visit /login and choose your IdP's button.
  • For SAML, inspect assertion for correct email/username/roles.

Role & Group Mapping

  • Assign default roles (user, admin, developer) for new SSO signups.
  • Map IdP group/role claims (e.g., admins, engineers) to platform permissions.
  • Enforce role updates on subsequent logins, or set up SCIM for automatic group sync.

Best Practices

  • Limit SSO to organization email domains.
  • Enforce 2FA/MFA at IdP level.
  • Rotate client secrets periodically and audit callback URLs.
  • Back up configuration in settings/.env for disaster recovery.
  • Test all role mappings with non-admin demo accounts before rollout.

Troubleshooting

  • Login fails with "invalid client" or "redirect uri mismatch": Double-check all callback URIs match your IdP app registration.
  • SAML errors: Use browser dev tools or SAML-tracing browser plugins to inspect assertions.
  • User can't log in: Verify user is assigned the app in IdP, and is in correct groups.
  • Role mapping not applied: Confirm SAML/OIDC claim settings; see platform logs for detailed mapping errors.
  • SSO lockout: Always keep a local admin or backup login available in case SSO config needs to be disabled (do not lock out all access).

Useful Links

SSO ensures secure, auditable, and scalable access for teams and enterprises—get it right for safe production deployment!

Related Documentation

api keys
Section: settings
billing
Section: settings
general settings
Section: settings
login activity
Section: settings
organization management
Section: settings

Related Documentation

Getting Started

Start here

API Reference

API docs

Components

Components