Single Sign-On (SSO)
Qarion supports enterprise Single Sign-On through OIDC and SAML 2.0 protocols. SSO allows your team to authenticate via your existing identity provider (IdP) such as Okta, Azure AD, or Google Workspace.
How It Works
When SSO is enabled for an organization, users are redirected to your IdP for authentication. After successful authentication, they are automatically provisioned in Qarion (if needed) and signed in with appropriate organization membership.
Configuring SSO
SSO is configured at the organization level. Contact your platform administrator to set up SSO with the following information:
OIDC Configuration
| Setting | Description |
|---|---|
| Provider Name | Human-readable name shown on the login page (e.g., "Sign in with Okta") |
| Client ID | OAuth 2.0 Client ID from your IdP |
| Client Secret | OAuth 2.0 Client Secret |
| Authorization URL | IdP authorization endpoint |
| Token URL | IdP token endpoint |
| Issuer URL | OIDC issuer URL for token validation |
| Allowed Domains | Email domains permitted to log in via SSO |
SAML 2.0 Configuration
| Setting | Description |
|---|---|
| Provider Name | Human-readable name for the login button |
| IdP Entity ID | Your IdP's entity identifier |
| IdP SSO URL | Single Sign-On service URL |
| IdP Certificate | X.509 certificate for signature validation |
| Allowed Domains | Email domains permitted to log in |
For SAML setups, Qarion provides a Service Provider (SP) metadata endpoint at /sso/metadata/{org_slug} that you can import into your IdP.
SSO Login Flow
- User visits the Qarion login page and clicks the SSO button
- Qarion redirects to your IdP's authorization URL
- User authenticates with the IdP
- IdP redirects back to Qarion with an authorization code (OIDC) or SAML assertion
- Qarion validates the response, provisions the user if needed, and issues a JWT
Cross-Instance SSO
For organizations with multiple Qarion instances, Cross-Instance SSO enables a single IdP configuration to authenticate users across all instances. When a user authenticates:
- The system resolves the correct target instance from the SSO configuration
- The user is provisioned in the target instance (if not already a member)
- The JWT includes instance context, ensuring the user is routed to the correct instance
This eliminates the need to configure SSO separately for each instance.
Enforcing SSO
When SSO Required is enabled for an organization:
- The standard email/password login is disabled
- Users must authenticate through the configured IdP
- The login page shows only the SSO button
Single Logout (SLO)
Qarion supports IdP-initiated single logout. When a user clicks "Sign Out":
- Qarion clears the local session
- If the IdP supports SLO, the user is redirected to the IdP's logout endpoint
- The IdP terminates the SSO session across all connected applications
User Provisioning
Users are automatically provisioned on their first SSO login:
- Email — Extracted from the IdP's claims
- Name — First and last name from IdP claims (if available)
- Organization Membership — Automatically linked to the SSO-configured organization
- Instance Membership — For cross-instance SSO, users are added to the target instance
Troubleshooting
"SSO not configured" — Verify that SSO has been set up for your organization. The organization slug in the login URL must match the configured organization.
"Domain not allowed" — Your email domain is not in the allowed domains list for this SSO configuration.
Login page doesn't show SSO button — Ensure you are navigating to the organization-specific login URL.
Related Documentation
- User Management — Managing users and their organization membership
- Multi-Instance — Understanding multi-instance architecture