Setting up Single Sign-On (SSO) for your workspace

Last updated: March 19, 2026

How to configure SAML-based SSO and optional Directory Sync (SCIM) for automated user provisioning in your Solidroad workspace.

Overview

Solidroad supports SAML-based Single Sign-On (SSO), allowing your team to log in using your company's identity provider (IdP) - such as Okta, Microsoft Entra ID (Azure AD), Google Workspace, Ping, or OneLogin.

Once enabled, SSO gives your IT team centralized control over who can access Solidroad, eliminates password management overhead, and reduces risk from password reuse.

Solidroad also supports Directory Sync (SCIM) for automated user provisioning and deprovisioning, and automated group mapping so your internal team structure is reflected in Solidroad automatically.

Prerequisites

Before getting started, make sure you have the following:

  • An identity provider that supports SAML 2.0 (Okta, Microsoft Entra ID, Google Workspace, Ping, OneLogin, etc.)

  • An IT contact who can configure SAML app settings in your IdP

  • The email domain(s) you want to enable SSO for (e.g. @yourcompany.com)

  • At least one admin user already set up in your Solidroad workspace

Important: Once SSO is enabled for your domain, email/password login will be disabled for users on that domain. Make sure your team is aware before going live.

How the setup works

  1. Contact your Solidroad account team to request SSO for your workspace. We'll provide you with three values:

    1. Single Sign-On URL (ACS URL)

    2. Audience URI (SP Entity ID)

    3. Metadata URL

  1. Configure a SAML application in your identity provider using the values above. Most IdPs have a "custom SAML app" option - your IT team will know where to find this.

  2. Send us your IdP metadata. Once your IT team has configured the SAML app, send us either:

    • Option A (preferred): Your IdP metadata URL - a public URL containing the SAML XML configuration

    • Option B: Your SSO Login URL, IdP Issuer, and X.509 Certificate

  3. We'll complete the connection on our side and coordinate testing with you before rolling out to your full team.

Testing

Before enabling SSO for your entire organization, we'll work with you to verify:

  • SSO login works - a test user from your IdP can successfully log in to Solidroad

  • Users land in the correct workspace - new SSO users are associated with your organization

  • Admin access is retained - at least one workspace admin can still access settings

We won't enable SSO for your full team until you've confirmed testing is successful.

Directory Sync (SCIM) automated user provisioning

For organizations that want to automate user lifecycle management, Solidroad supports Directory Sync via the SCIM 2.0 protocol. This requires an existing SSO connection and is available with supported IdPs including Okta and Microsoft Entra ID.

With Directory Sync enabled:

  • User creation: When you assign a user to the Solidroad app in your IdP, their account is automatically created in Solidroad

  • User updates: Changes to user attributes (name, email) in your IdP are synced to Solidroad automatically

  • User deactivation: When a user is removed or deactivated in your IdP, their Solidroad account is immediately disabled and any active sessions are revoked

The following attributes are synced from your IdP: username, email address, first name, last name, and enabled/disabled status.

To enable Directory Sync, let your Solidroad account team know and we'll provide the SCIM endpoint URL and bearer token for your IT team to configure in your IdP.

Setting up Directory Sync in Okta

  1. Open the Solidroad app in your Okta admin console

  2. Go to the Provisioning tab and click Configure API Integration

  3. Check Enable API Integration

  4. Enter the SCIM Base URL and Bearer Token provided by Solidroad

  5. Click Test API Credentials to verify the connection

  6. Save the configuration and enable the push operations you need (Create Users, Update User Attributes, Deactivate Users)

Setting up Directory Sync in Microsoft Entra ID

  1. Open the Solidroad enterprise application in the Azure portal

  2. Go to Provisioning and set the mode to Automatic

  3. Under Admin Credentials, enter the Tenant URL (SCIM endpoint) and Secret Token provided by Solidroad

  4. Click Test Connection to verify

  5. Confirm the attribute mappings include: userName, name.givenName, name.familyName, and active

  6. Save and start provisioning

Automated group mapping

If your organization uses groups or teams in your IdP, Solidroad can automatically create and maintain groups in your workspace based on attributes in the SAML assertion.

This means your internal team structure (e.g. "Support - EMEA", "Engineering", "Tier 2") is automatically reflected in Solidroad without manual setup.

How to enable automated groups

  1. Configure your IdP to include group attributes in the SAML assertion. We need two fields:

    • public_metadata_external_group_id - a stable identifier for the group

    • public_metadata_external_group_name - the display name for the group

  2. Let your Solidroad account team know you've added group attributes, and we'll verify they're coming through correctly.

Once verified, Solidroad will automatically:

  • Create new groups when users sign in with a group that doesn't exist yet

  • Assign users to the correct group on each login

  • Update group names if they change in your IdP

Note: Automated group removal (when a user is removed from a group in your IdP) is not currently supported. Group membership removals should be managed manually in Solidroad for now.

Frequently asked questions

Which identity providers are supported?

Any IdP that supports SAML 2.0, including Okta, Microsoft Entra ID (Azure AD), Google Workspace, OneLogin, Ping Identity, and more. We also support OIDC and EASIE for less common setups.

Will enabling SSO lock out existing users?

It can - once SSO is enabled for a domain, users on that domain must authenticate through your IdP. We coordinate the rollout carefully so no one is locked out unexpectedly.

Can we use SSO and email/password login at the same time?

SSO is typically enforced per domain. Users on SSO-enabled domains must use SSO. Users on other domains can continue using email/password.

Is Directory Sync required for SSO?

No. Directory Sync is optional. You can use SSO on its own for authentication and manage user provisioning manually.

How do I get started?

Reach out to your Solidroad account team or contact us at support@solidroad.com and we'll walk you through the setup.