Skip to main content
Mock API Builder
Enterprise

Enterprise SSO

Let organization members sign in through your identity provider.

Organization configuration

Organization owners can configure SSO on the organization detail page. Choose SAML (IdP SSO URL, optional entity ID, and the IdP's signing certificate) or OIDC (issuer URL, client ID, and client secret).

Login URL pattern: /api/auth/sso/login?org=YOUR_ORG_SLUG

How sign-in is verified

Every sign-in attempt is bound to a signed, short-lived state token so a callback can't be replayed or forged (CSRF + replay protection). From there, identity is verified cryptographically before anyone is signed in:

  • SAML— the IdP's response is checked against its XML signature using the certificate you provided. An unsigned or mismatched assertion is rejected.
  • OIDC— the authorization code is exchanged server-side, and the returned ID token is verified against your IdP's published keys (JWKS) before its claims are trusted.

The first time a user signs in through SSO, an account is created automatically with the Viewer role on the organization. An owner can promote them to Editor or Owner afterward from the members list.

Before you go live

Your IdP must be configured to send an email claim — it's the only attribute used to match or create accounts. Work with your IdP admin to map that attribute and point the redirect URI at /api/auth/sso/callback?org=slug. Engineering teams can validate the full flow against a local test identity provider before connecting a real one — see docs/development/saml-local-testing.md in the repo.

Team collaboration basics: Workspaces & Collaboration

Previous: Custom Domains & mTLSNext: HTTP Status Codes
Mock API Builder

Built for developers, by developers

DocumentationContactPrivacy PolicyTerms of Service

© 2026 Mock API Builder. All rights reserved.

Double-click for what's new
Learning Center
Learning Center