authaz / products / enterprise-ssoSAML 2.0OIDC● HANDSHAKERTT 38mssigned Β· sha256

Login goes through their IdP.
You stay out of it.

SAML, OIDC, Okta, Azure AD, Google Workspace. Buyers self-serve their connection in minutes β€” you spend zero engineering time per customer.

Join the waitlist β†’Read the docs
flow Β· sp-initiatedreq_01HZX9● 200 OK
A
SERVICE PROVIDER
app.acme.com
your product
redirect 302 β†’
Az
AUTHAZ Β· SAML BROKER
Connection Β· acme
entity_id Β· acs Β· cert
● handshake Β· 38ms
O
IDENTITY PROVIDER
Okta Β· acme.okta.com
val@acme.com
βœ“ signed assertion
β‘  AuthnRequest Β· signed Β· binding=POST
β‘‘ SAMLResponse Β· NameID Β· attributes
SAMLResponse Β· decoded
<saml:Assertion>
<Issuer>https://acme.okta.com</Issuer>
<Subject>
<NameID>val@acme.com</NameID>
</Subject>
<AttributeStatement>
groups = [engineering, admins]
department = platform
</AttributeStatement>
</saml:Assertion>
VERIFICATION
signatureβœ“ validcert chainβœ“ trustedaudienceapp.acme.comnot-on-or-after5mJIT provisionβœ“ enabledgroup β†’ roleadmins β†’ admin
Why it matters

SSO is the gate to every six-figure deal.

Procurement asks for SAML before they ask for the contract. Authaz turns it from a quarter-long project into a checkbox at signup.

β€” 01

Every IdP your buyer has

Okta, Azure AD, Google, OneLogin, JumpCloud, Ping, Auth0, generic SAML/OIDC. We handle the protocol; they paste a URL.

β€” 02

Self-serve, not custom-built

Embed our setup wizard in your settings page. The buyer's IT admin connects their own IdP β€” no Zoom calls, no shared metadata.xml.

β€” 03

JIT users, mapped roles

Users land in the right org with the right role on first login. Group claims map to your roles, automatically.

Identity providers

Connect any IdP your buyer brings.

Pre-built integrations for the providers that win deals β€” and clean SAML/OIDC for everything else.

O
Okta
A
Azure AD
G
Google
1
OneLogin
J
JumpCloud
P
Ping
a0
Auth0
✦
Generic
The flow

Eleven minutes, not eleven weeks.

β€” 01

A wizard your buyer runs themselves.

No engineer in the room. The buyer pastes their IdP metadata URL, runs a test login, and the connection goes live β€” all inside your app.

  • embeddable wizard or hosted page
  • auto-detect IdP from metadata
  • live error surfacing for the admin
βœ“
Buyer enters their domain
acme.com
βœ“
Authaz generates ACS + entity ID
sp.authaz.io/acme
3
Buyer pastes IdP metadata URL
sso.acme.com/saml
4
Test login as IdP admin
one click
5
Connection goes live
avg 11 minutes
β€” 02

Embed it in your own settings page.

Drop in our React component or use the JSON API. Looks like part of your product. Buyer never leaves your domain.

  • <SSOConnect /> React component
  • fully themeable
  • audit log of every connection change
app.acme.com / settings / sso

Single Sign-On

Connect your IdP so your team logs in with their work credentials.

https://sso.acme.com/saml/metadata
Verify connection β†’
powered by authaz Β· embedded
β€” 03

JIT provisioning and role mapping.

When a user logs in for the first time, we create them in the right org with the right role β€” driven by claims from the assertion.

  • SAML attributes β†’ user fields
  • group claims β†’ roles
  • auto-create + auto-deactivate
SAML ASSERTION β†’ AUTHAZ USER
emailval@acme.com→user.email
groups["Engineering","Admins"]β†’user.role = "admin"
departmentPlatform→user.team = "platform"
employeeIdE-2841β†’user.external_id
managerrod@acme.com→user.metadata.manager
API

One call to provision a connection.

Or skip the API entirely and let buyers configure SSO in our hosted dashboard. Both produce the same connection.

POST /v1/sso/connections201 Β· created
await authaz.sso.create({ org_id: "org_acme", protocol: "saml", metadata: "https://sso.acme.com/saml/metadata", role_map: { "Admins": "admin" }, });
Spec

The fine print, up front.

Protocols
SAML 2.0 Β· OIDC Β· OAuth 2.0
Pre-built IdPs
Okta Β· Azure AD Β· Google Workspace Β· OneLogin Β· JumpCloud Β· Ping Β· Auth0 Β· ADFS Β· generic
Setup mode
embedded wizard Β· hosted setup page Β· admin API
JIT provisioning
auto-create Β· auto-deactivate Β· attribute β†’ field mapping Β· group β†’ role
Multiple connections
unlimited per org Β· primary + fallback
SP-initiated + IdP-initiated
both supported Β· deep-link ready
Encryption
signed assertions Β· encrypted assertions Β· automatic cert rotation
Pricing model
per connection Β· no per-seat surcharge
Pairs with

One platform. Every primitive.

Every Authaz product shares the same primitives β€” sessions, policies, audit, tenants. Pick what you need today; add the rest when you do.

01 Β· MULTI-TENANT ORGANIZATIONS

Multi-tenant Organizations

Model organizations, members, and tenant boundaries cleanly.

Read more β†’
02 Β· AUTHENTICATION FLOWS

Authentication Flows

Password, magic code/link, and social login out of the box.

Read more β†’
03 Β· MULTI-FACTOR AUTHENTICATION

Multi-factor Authentication

MFA support with TOTP and communication-based factors.

Read more β†’
Explore all products β†’
Get started

Stop losing deals to a missing SAML checkbox.

Production-grade SSO, configured by your buyers, audited by default.

Join the waitlist β†’Read the docs