SSO Configuration (SAML/OIDC)
Set up single sign-on with your identity provider.
Basirah supports SAML 2.0 and OpenID Connect (OIDC) for single sign-on. This guide walks through the setup for either protocol.
Choose your protocol
| Aspect | SAML 2.0 | OIDC |
|---|---|---|
| Best for | Enterprise IdPs with SAML-first support | Modern IdPs and custom OAuth2 flows |
| Configuration | Upload IdP metadata or enter SSO URL + cert | Enter discovery URL, client ID, client secret |
| Group mapping | Via SAML attribute statements | Via groups scope / claims |
Create an application in your IdP
In your identity provider (Okta, Entra ID, Google Workspace, or similar), create a new SAML or OIDC application for Basirah. Your Basirah instance provides the callback URL and service provider metadata needed for this step.
Configure SSO in Basirah
Enter the IdP configuration details in Basirah’s SSO settings. For SAML, this includes the SSO URL, entity ID, and signing certificate. For OIDC, provide the discovery URL, client ID, and client secret.
Map IdP groups to Basirah roles
If your IdP sends group claims, configure group-to-role mappings so that users are assigned the correct Basirah role automatically on login. For example, map your
security-leadsgroup to the Admin role andvuln-analyststo Analyst.Enable just-in-time provisioning
With JIT provisioning, users who authenticate via SSO for the first time get a Basirah account created automatically. Configure the default role for JIT-provisioned users, or disable JIT if you prefer to pre-create accounts.
Test the SSO flow
Log out and sign in through your IdP to verify the end-to-end flow. Confirm that the correct role is assigned and that group mappings work as expected.