Single Sign-On (SSO)

PrivacyForge supports enterprise SSO through SAML 2.0, OAuth 2.0, and OpenID Connect. This guide covers setup, configuration, and troubleshooting.

SSO is available on the Enterprise plan only.


Supported Protocols

SAML 2.0

XML-based protocol widely used in enterprise environments. Works with Okta, Azure AD, OneLogin, PingFederate, and ADFS.

OAuth 2.0

Token-based authorization framework. Supports PKCE for enhanced security. Works with custom OAuth providers.

OpenID Connect

Identity layer built on OAuth 2.0. Auto-discovers endpoints from issuer URL. Works with Google Workspace, Azure AD, Keycloak.


Setting Up SSO

  1. Navigate to Settings → SSO in your PrivacyForge dashboard (Enterprise plan required).
  2. Click "Add Provider" and select your protocol (SAML 2.0, OAuth 2.0, or OpenID Connect).
  3. Configure your Identity Provider (IdP) using the SP metadata provided by PrivacyForge.
  4. Enter the IdP details in the PrivacyForge configuration form.
  5. Test the connection using the built-in test button.
  6. Activate the provider and optionally set it as default.

SAML 2.0 Configuration

PrivacyForge SP Details

Provide these to your Identity Provider:

ACS URL: https://your-domain.com/api/auth/saml/acs/{orgId}
SP Metadata: https://your-domain.com/api/auth/saml/metadata/{orgId}
SP Entity ID: https://your-domain.com

Required from your IdP

  • Entity ID -- The IdP's unique identifier
  • SSO URL -- The IdP's login endpoint
  • X.509 Certificate -- Used to verify SAML assertions
  • SLO URL (optional) -- For single logout support

OAuth 2.0 / OIDC Configuration

Required from your IdP

  • Client ID -- Application identifier from your IdP
  • Client Secret -- Application secret from your IdP
  • Authorization URL -- Where users are redirected to authenticate
  • Token URL -- Endpoint to exchange authorization codes for tokens
  • UserInfo URL -- Endpoint to fetch user profile data
  • Scopes -- Typically openid email profile

For OpenID Connect, you only need the Issuer URL -- PrivacyForge will auto-discover all endpoints via the .well-known/openid-configuration document.

Redirect URI: https://your-domain.com/api/auth/oauth/callback/{orgId}

Attribute Mapping

Map your IdP's user attributes to PrivacyForge fields. Default mappings:

PrivacyForge FieldCommon IdP Attribute
Emailemail, mail, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
First NamefirstName, givenName, given_name
Last NamelastName, surname, family_name
Rolerole, groups, memberOf

IdP-Specific Guides

Okta
  1. In Okta Admin, go to Applications → Create App Integration.
  2. Select SAML 2.0 and click Next.
  3. Set the Single Sign-On URL to your ACS URL.
  4. Set the Audience URI to your SP Entity ID.
  5. Configure attribute statements for email, firstName, lastName.
  6. Complete the wizard and download the IdP metadata or certificate.
  7. Enter the IdP details in PrivacyForge Settings → SSO.
Azure Active Directory (Entra ID)
  1. In Azure Portal, go to Enterprise Applications → New Application.
  2. Select Create your own application (Non-gallery).
  3. Go to Single sign-on → SAML.
  4. Set Entity ID and Reply URL to your SP values.
  5. Download the Federation Metadata XML or certificate.
  6. Copy the Login URL and Azure AD Identifier.
  7. Enter these in PrivacyForge Settings → SSO.
Google Workspace
  1. In Google Admin Console, go to Apps → Web and mobile apps.
  2. Click Add App → Add custom SAML app.
  3. Download the IdP metadata (or copy SSO URL and certificate).
  4. Set ACS URL and Entity ID to your SP values.
  5. Configure attribute mapping for email and name.
  6. Turn on the app for your organizational unit.
  7. Enter the IdP details in PrivacyForge Settings → SSO.

Troubleshooting

SAML assertion validation failed

Check that your IdP's certificate matches the one configured in PrivacyForge. Certificates may need to be renewed periodically.

User not provisioned

PrivacyForge uses Just-In-Time (JIT) provisioning. On first login, a user account is automatically created. Ensure the IdP sends an email attribute.

Clock skew error

SAML assertions are time-sensitive. Ensure your IdP server's clock is synchronized (NTP). PrivacyForge allows a 5-minute clock skew by default.

OAuth callback error

Verify the redirect URI in your IdP matches exactly: https://your-domain.com/api/auth/oauth/callback/{orgId}

SSO provider not found for email domain

Your organization's domain must be configured in PrivacyForge. Contact your administrator to verify the domain setting.