Guide
Enterprise SAML SSO per organization SAML reference You'll learn how to create a SAML connection, share metadata with your customer’s IdP, and route users by email domain.
An organization in SqlOS with a primary email domain set
IdP metadata (XML) or manual Entity ID / ACS URL from your customer
Goal # Existing organization members with verified @acme.com email automatically use Acme’s SAML IdP instead of password login. New users are only created from SSO if you enable JIT provisioning.
Steps #
Open /sqlos/admin/auth/
Create a draft SAML connection. Note the Entity ID and ACS URL SqlOS generates.
Send those values to the customer’s IT admin (or use the Admin Portal pattern from your product).
Import the IdP metadata XML (or paste certificate and endpoints manually).
Review the Access policy . The portal default requires SSO for existing members and leaves JIT provisioning off.
Enable the connection and set or verify the org email domain (e.g. acme.com).
Test with home realm discovery : sign in as an existing member with user@acme.com and confirm redirect to the IdP.
Expected outcome #
SAML assertion links to an existing SqlOS user, or provisions access only when JIT is enabled
Audit log shows SSO sign-in events
Non-matching domains still use password, OTP, or social login
Next steps #