SSO Setup Guide

Configure SAML-based Single Sign-On for your organization. Supports Okta, Azure AD, Google Workspace, OneLogin, and any SAML 2.0 identity provider.

📋 Prerequisites

SSO requires an organization with owner role. Create one via POST /api/v1/organizations first.

Step 1: Get Your SAML Metadata

Fetch PrivaBase's Service Provider (SP) metadata for your organization:

curl https://api.privabase.com/api/v1/organizations/YOUR_ORG_ID/sso/metadata \
  -H "Authorization: Bearer YOUR_TOKEN"

This returns:

Entity ID — PrivaBase's SAML entity identifier
ACS URL — Assertion Consumer Service URL (where your IdP sends SAML responses)
SLS URL — Single Logout Service URL

Step 2: Configure Your Identity Provider

In your IdP (Okta, Azure AD, etc.), create a new SAML application using the metadata from Step 1.

Okta

Go to Applications → Create App Integration → SAML 2.0
Set Single sign-on URL to the ACS URL from Step 1
Set Audience URI (SP Entity ID) to the Entity ID from Step 1
Map attributes: email → user.email, firstName → user.firstName, lastName → user.lastName
Download the IdP metadata XML or copy the Entity ID, SSO URL, and certificate

Azure AD

Go to Enterprise Applications → New Application → Non-gallery application
Under Single sign-on → SAML, set the Identifier (Entity ID) and Reply URL (ACS)
Download the Federation Metadata XML or the Base64 Certificate

Google Workspace

Admin Console → Apps → Web and mobile apps → Add custom SAML app
Enter the ACS URL and Entity ID
Map attributes: Primary email → email
Download the IdP metadata

Step 3: Configure SSO in PrivaBase

Send your IdP's SAML configuration to PrivaBase:

curl -X POST https://api.privabase.com/api/v1/organizations/YOUR_ORG_ID/sso \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "entityId": "https://idp.example.com/saml/metadata",
    "ssoUrl": "https://idp.example.com/saml/sso",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
    "emailDomain": "company.com"
  }'

Field	Description
`entityId`	Your IdP's Entity ID / Issuer URL
`ssoUrl`	Your IdP's SAML SSO endpoint
`certificate`	Your IdP's X.509 signing certificate (PEM format)
`emailDomain`	Email domain for SSO enforcement (e.g. `company.com`)

Step 4: Test SSO Login

After configuration, users with @company.com email addresses will be redirected to your IdP during login. Test by logging in with a domain-matching email.

Disable SSO

curl -X DELETE https://api.privabase.com/api/v1/organizations/YOUR_ORG_ID/sso \
  -H "Authorization: Bearer YOUR_TOKEN"

⚠️ Disabling SSO

Disabling SSO won't lock out users. They can still log in with email/password. Existing sessions remain valid.