Let organization members sign in through your identity provider.
Organization owners can configure SSO on the organization detail page. Choose SAML (IdP SSO URL, optional entity ID, and the IdP's signing certificate) or OIDC (issuer URL, client ID, and client secret).
Login URL pattern: /api/auth/sso/login?org=YOUR_ORG_SLUG
Every sign-in attempt is bound to a signed, short-lived state token so a callback can't be replayed or forged (CSRF + replay protection). From there, identity is verified cryptographically before anyone is signed in:
The first time a user signs in through SSO, an account is created automatically with the Viewer role on the organization. An owner can promote them to Editor or Owner afterward from the members list.
Your IdP must be configured to send an email claim — it's the only attribute used to match or create accounts. Work with your IdP admin to map that attribute and point the redirect URI at /api/auth/sso/callback?org=slug. Engineering teams can validate the full flow against a local test identity provider before connecting a real one — see docs/development/saml-local-testing.md in the repo.
Team collaboration basics: Workspaces & Collaboration