D
Dezifi.ai
Admin

SSO

Configure SAML, OIDC, or OAuth to delegate sign-in to your identity provider. Users land in Dezifi already authenticated and get the role you assigned in your IdP.

What you'll learn
  • Which SSO protocols Dezifi supports
  • How to set up SAML with IdP metadata or ACS URL
  • How to set up OIDC with discovery URL
  • How to set up OAuth and choose scopes

SAML

  1. 1

    Open SAML settings

    Settings → SSO → SAML. You will need either the IdP metadata XML or the ACS URL plus signing certificate.
  2. 2

    Upload IdP metadata

    Paste the metadata XML from Okta, Azure AD, Google Workspace, or any SAML 2.0 IdP. Dezifi extracts the entity ID, SSO URL, and certificate automatically.
  3. 3

    Map attributes

    Map your IdP attributes (email, name, groups) to Dezifi user fields. Use a groups attribute to drive role assignment automatically.
  4. 4

    Test and enable

    Run the test login from the IdP. Once a round-trip succeeds, toggle the connection live for the workspace.

OIDC

  1. 1

    Open OIDC settings

    Settings → SSO → OIDC. You will need a client ID, client secret, and discovery URL from your IdP.
  2. 2

    Paste credentials

    Enter the client ID, client secret, and the OpenID Connect discovery URL. Dezifi auto-discovers the auth, token, and userinfo endpoints.
  3. 3

    Pick scopes

    Default scopes are openid, profile, email. Add groups if your IdP exposes them and you want group-driven role mapping.

OAuth

OAuth covers consumer identity providers (Google, GitHub, Microsoft personal). Configure provider, client ID, client secret, and the scopes you need. Useful when end users sign in through your product rather than a corporate IdP.

Frequently asked questions

Does Dezifi support SCIM for user provisioning?
Just-in-time provisioning on first SSO login is standard. SCIM for proactive provisioning and deprovisioning is available on Enterprise plans.
Can I require SSO for a workspace?
Yes. Once SSO is configured and verified, toggle Require SSO. Password sign-in is then disabled for all members except a break-glass Owner.
What if my IdP groups do not match Dezifi roles?
Use the attribute mapping screen to map IdP group names to Dezifi roles (built-in or custom). Unmapped groups fall back to a default role you choose.
Can users belong to multiple workspaces with the same SSO connection?
Yes. SSO is configured per workspace, but a single IdP identity can authenticate into any workspace where that identity is provisioned.

Related

Users & roles
Where SSO-provisioned users land.
Read more
Custom roles
Map IdP groups to fine-grained permissions.
Read more
Workspaces
SSO is configured per workspace.
Read more
API keys
Programmatic access alongside SSO.
Read more