Skip to main content

Single Sign-On (SSO)

SSO is available on Pro and Enterprise plans.
Configure SSO for your organization.

Supported Providers

  • SAML 2.0 - Okta, OneLogin, Azure AD, etc.
  • OAuth 2.0 - Google Workspace, GitHub, etc.
  • OIDC - Any OpenID Connect provider

SAML Configuration

1. Create SAML App

In your identity provider:
  1. Create a new SAML application
  2. Set ACS URL: https://brainzlab.ai/auth/saml/callback
  3. Set Entity ID: https://brainzlab.ai
  4. Configure attributes:
    • email (required)
    • name (optional)

2. Configure Brainz Lab

  1. Go to Settings > SSO
  2. Choose “SAML 2.0”
  3. Enter:
    • SSO URL
    • Certificate
    • Entity ID

3. Test

Click “Test Configuration” to verify setup.

OAuth Configuration

Google Workspace

  1. Go to Google Admin Console
  2. Create OAuth credentials
  3. Set redirect URL: https://brainzlab.ai/auth/google/callback
  4. Enter Client ID and Secret in Brainz Lab

GitHub

  1. Create GitHub OAuth App
  2. Set callback URL: https://brainzlab.ai/auth/github/callback
  3. Enter Client ID and Secret in Brainz Lab

Enforcing SSO

After setup, you can:
  1. Require SSO - All users must use SSO
  2. Allow both - SSO and password login
  3. Migrate gradually - Invite users via SSO

Just-in-Time Provisioning

New users are automatically created on first SSO login:
  • Email from identity provider
  • Default role: Member
  • Added to organization

SCIM Provisioning

SCIM is available on Enterprise plans.
Automatically sync users from your identity provider:
  1. Enable SCIM in Settings > SSO
  2. Copy the SCIM endpoint and token
  3. Configure in your identity provider

Troubleshooting

Login Failed

  1. Check SSO configuration
  2. Verify user exists in identity provider
  3. Check attribute mapping

User Not Provisioned

  1. Verify JIT provisioning is enabled
  2. Check required attributes are mapped
  3. Verify domain is allowed