Skip to content

How do I set up SSO/OIDC for a tenant?

Requires Pro

Under Administration → SSO, create a provider configuration for your tenant: display name, the IdP’s discovery URL, client ID, and client secret — then enable it. In the IdP, register Notory as an OIDC client with the redirect URI https://<your-instance>/api/v1/auth/sso/callback. Optionally, Notory can automatically onboard new users via JIT provisioning and derive their role from IdP groups. SSO providers always apply per tenant.

From the IdP, you’ll need: the discovery URL (e.g. https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration), client ID, and client secret. The IdP must mark email addresses as verified (email_verified).

  1. Open the SSO section. Administration → SSO. The description reminds you: “Configure identity providers per tenant. Full login requires a reachable IdP.” Click Create provider.

    SSO management: identity providers are configured per tenant.
  2. Configure the provider. Fill in:

    • Display name — later appears on the login button (“Sign in with …”).
    • Protocoloidc (default; the full login flow is implemented for OIDC, SAML fields are prepared).
    • Discovery URL, Client ID, Client Secret — from your IdP.
    • Scopes — leave empty for the default openid email profile.
    • Default role — role for automatically created users (default: Viewer).
    • JIT provisioning — when enabled, Notory automatically creates unknown users in the tenant at their first SSO login.
    • Group claim (default groups) and group-to-role mapping — e.g. it-admins → admin, helpdesk → technician; optionally sync role on every login.
    The OIDC configuration: discovery URL, client credentials, JIT provisioning and group mapping.
  3. Register the redirect URI in the IdP. In your IdP, register the callback address https://<your-instance>/api/v1/auth/sso/callback as an allowed redirect URI for the OIDC client.

  4. Enable and test. Set the provider to enabled. Open the login screen in a private window and enter the email of an account in this tenant — the “Sign in with …” button appears automatically (e-mail discovery).

  • The login flow (OIDC Authorization Code + PKCE). Clicking “Sign in with …” redirects Notory to the IdP — with PKCE (S256), state, and nonce; the state is kept as a signed, 10-minute cookie (it_sso). After returning at the callback, Notory exchanges the code for tokens and cryptographically validates the id_token against the IdP’s JWKS (signature, iss, aud, expiry, nonce).
  • Only verified e-mails. Only an email with email_verified: true is accepted — otherwise the login aborts.
  • Account matching by e-mail. If an account with this email exists, it’s signed in — but only if it belongs to the provider’s tenant (tenant isolation). If none exists: with JIT, Notory creates the user in the provider’s tenant (default role or group mapping, random unusable password — the account is SSO-only); without JIT, “No account exists for this e-mail. Ask an administrator to invite you.” is shown.
  • Roles from groups. From the group claim, the highest-ranking matching role is determined via the mapping table. With “sync role on every login”, Notory pulls in role changes from the IdP on every sign-in.
  • Deactivated accounts. An inactive account is only reactivated automatically during SSO login if JIT provisioning is enabled; otherwise it stays locked.
  • 2FA. During SSO login, Notory asks for no local authenticator code — multi-factor is handled by the IdP. However, enforced 2FA setup (instance/tenant) still applies: without a set-up device, the app remains locked until setup is complete.
  • Secret handling. The client_secret is stored, but never returned in any API response.