Enterprise SSO
Configure SAML or OIDC single sign-on with domain-based auto-provisioning.
Atlas supports enterprise SSO via SAML 2.0 and OpenID Connect (OIDC). Admins register identity providers through the admin API, map email domains to providers, and users are auto-provisioned on first login.
SaaS Feature
Enterprise SSO is available on app.useatlas.dev Enterprise plans. Self-hosted deployments do not include enterprise features.
Prerequisites
- Managed auth enabled
- Internal database configured (
DATABASE_URL) - Active Enterprise plan on app.useatlas.dev
- Admin role required for all SSO management endpoints
How It Works
- An admin registers an SSO provider (SAML or OIDC) via the admin API
- The provider is linked to an email domain (e.g.,
acme.com) - When a user with that email domain signs in, Atlas routes them to the configured IdP
- On successful IdP authentication, the user is auto-provisioned into the workspace
Each organization can have multiple SSO providers, each mapped to a different email domain. Domain uniqueness is enforced globally — no two providers across any organization can claim the same domain.
SAML Configuration
SAML providers require three pieces of information from your identity provider:
| Field | Description |
|---|---|
idpEntityId | The IdP's entity identifier (issuer URI) |
idpSsoUrl | The IdP's single sign-on URL (HTTP-Redirect or HTTP-POST binding) |
idpCertificate | The IdP's signing certificate in PEM format |
Optional fields for service provider (SP) configuration:
| Field | Description |
|---|---|
spEntityId | Custom SP entity ID (defaults to Atlas-generated value) |
spAcsUrl | Custom Assertion Consumer Service URL |
Register a SAML Provider
curl -X POST https://your-atlas.example.com/api/v1/admin/sso/providers \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <admin-token>" \
-d '{
"type": "saml",
"issuer": "https://idp.acme.com",
"domain": "acme.com",
"enabled": true,
"config": {
"idpEntityId": "https://idp.acme.com/entity",
"idpSsoUrl": "https://idp.acme.com/sso",
"idpCertificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----"
}
}'OIDC Configuration
OIDC providers require:
| Field | Description |
|---|---|
clientId | OAuth client ID from your IdP |
clientSecret | OAuth client secret (encrypted at rest) |
discoveryUrl | The IdP's .well-known/openid-configuration URL |
Register an OIDC Provider
curl -X POST https://your-atlas.example.com/api/v1/admin/sso/providers \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <admin-token>" \
-d '{
"type": "oidc",
"issuer": "https://accounts.google.com",
"domain": "acme.com",
"enabled": true,
"config": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"discoveryUrl": "https://accounts.google.com/.well-known/openid-configuration"
}
}'Client secrets are encrypted at rest using BETTER_AUTH_SECRET or ATLAS_ENCRYPTION_KEY. They are never returned in API responses — the provider detail endpoint redacts secret fields. The enabled field defaults to false if omitted — providers must be explicitly enabled.
Admin API Endpoints
All SSO endpoints require the admin role and an active enterprise license. They are mounted at /api/v1/admin/sso.
| Method | Path | Description |
|---|---|---|
GET | /providers | List SSO provider summaries (config omitted) |
GET | /providers/:id | Get a single provider (secrets redacted) |
POST | /providers | Register a new SSO provider |
PATCH | /providers/:id | Update a provider (partial config merge) |
DELETE | /providers/:id | Delete a provider |
GET | /enforcement | Get SSO enforcement status |
PUT | /enforcement | Enable or disable SSO enforcement |
Error Responses
| Status | Code | When |
|---|---|---|
| 400 | validation | Invalid config fields, malformed domain |
| 400 | no_provider | Trying to enable enforcement with no active SSO provider |
| 403 | enterprise_required | Enterprise license not active |
| 404 | not_found | Provider ID doesn't exist |
| 409 | conflict | Domain already claimed by another SSO provider |
Domain Auto-Provisioning
When a user signs in with an email matching a configured SSO domain:
- Atlas calls
findProviderByDomain()to locate the matching, enabled SSO provider - The user is redirected to the IdP for authentication
- On successful authentication, Atlas creates or updates the user account
- The user is added to the organization that owns the SSO provider
Domain format requirements:
- Lowercase letters, numbers, hyphens, and dots
- Must be a valid DNS domain (e.g.,
acme.com,engineering.acme.com) - Validated against the pattern:
^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$
SSO Enforcement
By default, SSO is an optional login method — users with a matching email domain are routed to the IdP, but password login remains available. SSO enforcement changes this: when enabled, password and email-based login is blocked for all users whose email domain matches a configured SSO provider. They must sign in through the identity provider.
Enforcement is an organization-level setting. When toggled, it updates the sso_enforced flag on all SSO providers belonging to that organization.
What Happens When Enforcement Is On
- A user attempts to sign in with email
alice@acme.com - Atlas detects that
acme.comhas an SSO provider with enforcement enabled - The password/session auth is blocked with a
403response:{ "error": "SSO is required for this workspace. Please sign in via your identity provider.", "ssoRedirectUrl": "https://idp.acme.com/sso" } - The response includes
ssoRedirectUrlso the client can redirect the user to the IdP
Break-glass bypass: API key authentication (simple-key mode) is not affected by SSO enforcement. If an admin is locked out of the UI, they can still access the API using an API key to disable enforcement.
Check Enforcement Status
curl https://your-atlas.example.com/api/v1/admin/sso/enforcement \
-H "Authorization: Bearer <admin-token>"Response (200):
{
"enforced": false,
"orgId": "org_abc123"
}Enable Enforcement
curl -X PUT https://your-atlas.example.com/api/v1/admin/sso/enforcement \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <admin-token>" \
-d '{ "enforced": true }'Response (200):
{
"enforced": true,
"orgId": "org_abc123"
}Disable Enforcement
curl -X PUT https://your-atlas.example.com/api/v1/admin/sso/enforcement \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <admin-token>" \
-d '{ "enforced": false }'Before enabling enforcement, ensure at least one SSO provider is configured and enabled for your organization. Atlas will reject the request with a 400 error (no_provider) if no active provider exists:
{
"error": "no_provider",
"message": "Cannot enforce SSO without at least one active SSO provider. Create and enable a SAML or OIDC provider first."
}Enforcement and Existing Users
When you enable SSO enforcement:
- Active sessions are not terminated. Users already signed in continue to have access until their session expires
- New sign-in attempts via password are blocked. Users must use the SSO flow on their next login
- API key access is unaffected. The
simple-keyauth mode bypasses SSO enforcement, providing a break-glass path for administrators
When you disable SSO enforcement:
- Password login is immediately available again for all users
- SSO login continues to work — disabling enforcement does not remove SSO providers
SAML vs OIDC
| Feature | SAML 2.0 | OIDC |
|---|---|---|
| Protocol | XML-based, HTTP-POST binding | OAuth 2.0 / JWT |
| Setup complexity | Higher (certificates, entity IDs) | Lower (client ID/secret + discovery URL) |
| Common IdPs | Okta, OneLogin, ADFS | Google Workspace, Azure AD, Auth0 |
| Secret storage | Certificate (public) | Client secret (encrypted at rest) |
Choose SAML when your IdP mandates it or for compliance requirements. Choose OIDC for simpler setup with modern identity providers.
See Also
- IP Allowlisting — Restrict access by IP range
- Authentication — Auth mode setup and configuration
- Admin Console — Manage users and sessions
- Environment Variables — Full variable reference