> ## Documentation Index
> Fetch the complete documentation index at: https://docs.orq.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Enterprise SSO authentication

> Configure enterprise Single Sign-On for Orq.ai using any standards-compliant OIDC or SAML identity provider.

<Badge color="blue" size="lg" shape="pill" stroke="true">Feature available with the [Enterprise Plan](https://orq.ai/solutions/enterprise)</Badge>

Connect an identity provider to **Orq.ai** to allow the team to sign in using their existing credentials. Any identity provider that supports OIDC or SAML 2.0 is compatible.

## Choose a Protocol

Two protocols are available:

* <Icon icon="bolt" /> **OIDC**: Modern, lightweight protocol based on OAuth 2.0. Recommended for most organizations for its quick setup and JSON-based authentication.
* <Icon icon="shield" /> **SAML**: XML-based protocol recommended for enterprise environments requiring fine-grained control over security attributes and assertions.

## Configure SSO in Orq.ai

### Navigate to Auth settings

1. Log in to the **Orq.ai** account
2. Click **AI Studio** in the upper left
3. Click **Organization**
4. Click **Auth** from the sidebar

<Frame caption="SSO Authentication page">
  <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/sso-authentication-page.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=ddcbd02b5fd808efca3c18c36076adda" alt="Orq.ai Authentication settings page showing available SSO provider options, each with a Configure button." width="3416" height="1946" data-path="images/sso/platform_config/sso-authentication-page.png" />
</Frame>

<Note>
  Only one SSO connection can be active at a time. To switch providers, disconnect the current connection first.
</Note>

### Connect a provider

Click **Add SSO Connection**, select the protocol, and follow the guide for the identity provider:

<AccordionGroup>
  <Accordion title="Okta" icon="https://mintcdn.com/orqai/5MZJQ0bWgWcedZzS/images/logos/okta.svg?fit=max&auto=format&n=5MZJQ0bWgWcedZzS&q=85&s=0ea1a33bbf3cbd51cfd4353dd243365f" width="24" height="24" data-path="images/logos/okta.svg">
    <Tabs>
      <Tab title="OIDC" icon="bolt">
        <Steps>
          <Step title="Create an OIDC app in Okta" icon="circle-plus">
            Sign in to the **Okta Admin Console** and navigate to **Applications → Applications**.

            <Frame caption="Okta Applications page">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_oidc/okta-oidc-applications-page.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=d7f3f39fe71e0f3cb869116fca809ad8" alt="Okta Admin Console Applications page showing the list of active applications with a Create App Integration button." width="1895" height="879" data-path="images/sso/okta_oidc/okta-oidc-applications-page.png" />
            </Frame>

            Click **Create App Integration**, then select **OIDC - OpenID Connect** and **Web Application**, and click **Next**.

            <Frame caption="Select sign-in method">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_oidc/okta-oidc-create-app-integration.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=7e9752c57b4b13406cc26f209ec5ae71" alt="Create a new app integration dialog with OIDC-OpenID Connect selected as sign-in method and Web Application as application type." width="1887" height="875" data-path="images/sso/okta_oidc/okta-oidc-create-app-integration.png" />
            </Frame>

            **Configure the application:**

            * **App integration name**: `Orq.ai` (or preferred name)
            * **Grant type**: Ensure **Authorization Code** is selected
            * **Sign-in redirect URIs**:
              ```
              https://my.orq.ai/v2/auth/sso/oidc/callback
              ```
            * **Sign-out redirect URIs** (optional):
              ```
              https://my.orq.ai
              ```

            <Frame caption="App integration settings">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_oidc/okta-oidc-configure-settings.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=db2b96c037d090fbaf92064bf35d1f38" alt="New Web App Integration page with App integration name set to orq.ai, sign-in redirect URI set to https://my.orq.ai/v2/auth/sso/oidc/callback, and sign-out redirect URI set to https://my.orq.ai." width="1886" height="892" data-path="images/sso/okta_oidc/okta-oidc-configure-settings.png" />
            </Frame>

            <Frame caption="Controlled access settings">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_oidc/okta-oidc-assignments-and-save.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=da819fd515fc50a40b9577a467f60448" alt="New Web App Integration page showing the Assignments section with Skip group assignment for now selected and a Save button." width="1865" height="900" data-path="images/sso/okta_oidc/okta-oidc-assignments-and-save.png" />
            </Frame>
          </Step>

          <Step title="Assign users" icon="users">
            Go to the **Assignments** tab and click <kbd className="key">Assign</kbd> → <kbd className="key">Assign to People</kbd> or <kbd className="key">Assign to Groups</kbd>.

            Select the users or groups that should have access to **Orq.ai**, then click <kbd className="key">Done</kbd>.

            <Frame caption="Assign users to the application">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_oidc/okta-oidc-assign-users.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=6f4fca17e24b7a3da0d5878d51940e3f" alt="Okta orq.ai application Assignments tab with the Assign dropdown open, showing Assign to People and Assign to Groups options." width="1901" height="869" data-path="images/sso/okta_oidc/okta-oidc-assign-users.png" />
            </Frame>

            <Note>
              By default, no users are assigned to a new Okta app.
            </Note>
          </Step>

          <Step title="Gather credentials" icon="key">
            From the application's **General** tab, scroll down to the **Client Credentials** section.

            Copy these values:

            * **Client ID**: use as the **Client ID** in **Orq.ai**
            * **Client secret**: click **Copy to clipboard** and use as the **Client Secret** in **Orq.ai**

            <Frame caption="Client credentials">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_oidc/okta-oidc-client-credentials.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=97721e0f8e36865a247b3b638a6d9026" alt="Okta orq.ai application General tab showing Client Credentials with Client ID and a client secret listed under CLIENT SECRETS." width="1904" height="892" data-path="images/sso/okta_oidc/okta-oidc-client-credentials.png" />
            </Frame>
          </Step>

          <Step title="Get the Provider URL" icon="link">
            The Provider URL is the Okta domain's authorization server issuer URL:

            ```
            https://{yourOktaDomain}/oauth2/default
            ```

            Find the Okta domain in the top-right corner of the **Okta Admin Console** (e.g. `acme.okta.com`).
          </Step>

          <Step title="Configure in Orq.ai" icon="circle-check">
            Navigate to **AI Studio** → **Organization** → **Auth**.

            <Frame caption="SSO Authentication page">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/sso-authentication-page.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=ddcbd02b5fd808efca3c18c36076adda" alt="Orq.ai Authentication settings page showing available SSO providers, each with a Configure button." width="3416" height="1946" data-path="images/sso/platform_config/sso-authentication-page.png" />
            </Frame>

            Enter the credentials collected from Okta:

            1. Select **OIDC** (selected by default)
            2. Enter the **Client ID**
            3. Enter the **Client Secret**
            4. Enter the **Provider URL**
            5. Enter the organization's email domain(s) in **Allowed domains** (e.g., `orq.ai`)
            6. Click **Activate**

            <Frame caption="OIDC configuration form">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/configure-oidc.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=993b6152eef3ae82c9f00a65a6e4024b" alt="Configure Single Sign-On panel with OIDC selected for Okta, showing fields for Client ID, Client Secret, Provider URL, and Allowed domains." width="3416" height="1946" data-path="images/sso/platform_config/configure-oidc.png" />
            </Frame>
          </Step>

          <Step title="Test the login" icon="party-horn">
            SSO is now configured. Users can sign in at:

            ```
            https://my.orq.ai/{your-workspace-key}/login
            ```

            <Frame caption="SSO login">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/sso_login/sso-login-agnostic.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1b7337671332e0411a92b2963185452c" alt="Orq.ai login page showing the Continue with SSO button after configuring Okta OIDC." width="1901" height="992" data-path="images/sso/sso_login/sso-login-agnostic.png" />
            </Frame>
          </Step>
        </Steps>
      </Tab>

      <Tab title="SAML" icon="shield">
        <Steps>
          <Step title="Define the SP Entity ID" icon="fingerprint">
            Choose a unique identifier for the Service Provider Entity ID. We recommend:

            ```
            urn:orq.ai:{your-workspace-key}
            ```

            For example, if the workspace key is `acme-corp`, use `urn:orq.ai:acme-corp`.

            <Tip>
              The SP Entity ID must match exactly in both Okta and **Orq.ai**. Write it down; it is needed in multiple steps.
            </Tip>
          </Step>

          <Step title="Create a SAML app in Okta" icon="circle-plus">
            In the **Okta Admin Console**, go to **Applications → Applications**.

            <Frame caption="Okta Applications page">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_saml/okta-saml-applications-page.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=ea34233a77763786f7f7039c607f4356" alt="Okta Admin Console Applications page showing the orq.ai app as active." width="1892" height="883" data-path="images/sso/okta_saml/okta-saml-applications-page.png" />
            </Frame>

            Click **Create App Integration**, select **SAML 2.0**, and click **Next**.

            <Frame caption="Select sign-in method">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_saml/okta-saml-create-app-integration.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=c1a757ab51e9e0f62a9598b31c3c9091" alt="Create a new app integration dialog with SAML 2.0 selected as the sign-in method." width="1878" height="881" data-path="images/sso/okta_saml/okta-saml-create-app-integration.png" />
            </Frame>

            Enter a name (e.g. `Orq.ai SSO`) and click **Next**.

            <Frame caption="General settings">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_saml/okta-saml-general-settings.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=afe01ecddd94612103751a95c9512a7b" alt="Create SAML Integration wizard showing Step 1 General Settings with App name set to orq.ai." width="1891" height="895" data-path="images/sso/okta_saml/okta-saml-general-settings.png" />
            </Frame>
          </Step>

          <Step title="Configure SAML settings" icon="shield">
            Under **SAML Settings**, enter:

            * **Single sign-on URL**:
              ```
              https://my.orq.ai/v2/auth/sso/saml/callback
              ```
            * **Audience URI (SP Entity ID)**: the SP Entity ID defined in Step 1
            * **Name ID format**: `EmailAddress`
            * **Application username**: `Email`

            <Frame caption="SAML configuration">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_saml/okta-saml-configure-settings.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=ceb6074a9fd26625cbcf5f5d7316ccc2" alt="Create SAML Integration Step 2 showing Single sign-on URL and Audience URI fields." width="1895" height="889" data-path="images/sso/okta_saml/okta-saml-configure-settings.png" />
            </Frame>

            Click **Next**, then **Finish**.

            <Frame caption="Feedback step">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_saml/okta-saml-feedback.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=2b883ada743ce0c7ea48d3444a19e8eb" alt="Create SAML Integration Step 3 Feedback page with This is an internal app that we have created selected and a Finish button." width="1894" height="890" data-path="images/sso/okta_saml/okta-saml-feedback.png" />
            </Frame>
          </Step>

          <Step title="Configure attribute statements" icon="tags">
            Go to the **Sign On** tab and click **Edit** in the Settings section.

            <Frame caption="Sign On settings">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_saml/okta-saml-attribute-statements.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=eff9182d4258ac964489d3a5288d1ce4" alt="Okta Sign On tab showing an empty Attribute statements section and a Show legacy configuration toggle." width="1882" height="885" data-path="images/sso/okta_saml/okta-saml-attribute-statements.png" />
            </Frame>

            Under **Attribute Statements**, add these mappings:

            | Name        | Expression       |
            | ----------- | ---------------- |
            | `email`     | `user.email`     |
            | `firstName` | `user.firstName` |
            | `lastName`  | `user.lastName`  |

            <Tip>
              If a **Show legacy configuration** link appears, click it and use the classic format with Name, Name format (Basic), and Value columns.
            </Tip>

            <Frame caption="Legacy attribute configuration">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_saml/okta-saml-legacy-attributes.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=d5175f3e796758dba43814dcf69e2375" alt="Legacy Profile attribute statements showing email mapped to user.email, firstName to user.firstName, and lastName to user.lastName." width="1895" height="888" data-path="images/sso/okta_saml/okta-saml-legacy-attributes.png" />
            </Frame>

            Click **Save**.

            <Note>
              These attribute mappings are required for SAML to work correctly with **Orq.ai**.
            </Note>
          </Step>

          <Step title="Gather credentials" icon="key">
            In the **Sign On** tab, under **Settings**, click **Edit** to reveal the **Metadata details**.

            Collect these values:

            | Okta Field                      | Use in Orq.ai as                 |
            | ------------------------------- | -------------------------------- |
            | **Sign on URL**                 | **Single Sign-On URL**           |
            | **Issuer**                      | **Identity Provider Entity ID**  |
            | **Signing Certificate (X.509)** | **X.509 Certificate** (download) |

            <Frame caption="SAML metadata details">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_saml/okta-saml-collect-values.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=26f5e4d3537eef25602d97082a91b7a2" alt="Okta SAML 2.0 Metadata details showing Metadata URL, Sign on URL, Sign out URL, Issuer, and Signing Certificate for the orq.ai application." width="1885" height="875" data-path="images/sso/okta_saml/okta-saml-collect-values.png" />
            </Frame>
          </Step>

          <Step title="Assign users" icon="users">
            Go to the **Assignments** tab and click <kbd className="key">Assign</kbd> → <kbd className="key">Assign to People</kbd> or <kbd className="key">Assign to Groups</kbd>.

            Select the users or groups that should have access, then click <kbd className="key">Done</kbd>.

            <Frame caption="Assign users to the application">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/okta_saml/okta-saml-assign-users.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=42a722488982e6d7709fbbbd4ca267e4" alt="Okta SAML application Assignments tab with the Assign dropdown open, showing Assign to People and Assign to Groups options." width="1888" height="872" data-path="images/sso/okta_saml/okta-saml-assign-users.png" />
            </Frame>

            <Note>
              By default, no users are assigned to a new Okta app.
            </Note>
          </Step>

          <Step title="Configure in Orq.ai" icon="circle-check">
            Navigate to **AI Studio** → **Organization** → **Auth**.

            Enter the credentials collected from Okta:

            1. Select **SAML**
            2. Enter the **Service Provider Entity ID** (from Step 1)
            3. Enter the **Identity Provider Entity ID** (Issuer from Okta)
            4. Enter the **Single Sign-On URL** (Sign on URL from Okta)
            5. For **X.509 Certificate**: open the downloaded certificate file in a text editor, copy all content including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines, and paste it here
            6. Enter the organization's email domain(s) in **Allowed domains** (e.g., `orq.ai`)
            7. Click **Activate**

            <Frame caption="SAML configuration form">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/configure-saml.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=25560cd3f596a598af67cbdf52e4a365" alt="Configure Single Sign-On panel with SAML selected for Okta, showing fields for Service Provider Entity ID, Identity Provider Entity ID, Single Sign-On URL, X.509 Certificate, and Allowed domains." width="3416" height="1946" data-path="images/sso/platform_config/configure-saml.png" />
            </Frame>
          </Step>

          <Step title="Test the login" icon="party-horn">
            SSO is now configured. Users can sign in at:

            ```
            https://my.orq.ai/{your-workspace-key}/login
            ```

            <Frame caption="SSO login">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/sso_login/sso-login-agnostic.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1b7337671332e0411a92b2963185452c" alt="Orq.ai login page showing the Continue with SSO button after configuring Okta SAML." width="1901" height="992" data-path="images/sso/sso_login/sso-login-agnostic.png" />
            </Frame>
          </Step>
        </Steps>
      </Tab>
    </Tabs>
  </Accordion>

  <Accordion title="Microsoft Entra ID - Active Directory" icon="https://mintcdn.com/orqai/d-t0Z04KwFlGVsS1/images/logos/azure.svg?fit=max&auto=format&n=d-t0Z04KwFlGVsS1&q=85&s=aceb7fab6763d5b7ad595606503fe0a2" width="256" height="256" data-path="images/logos/azure.svg">
    <Tabs>
      <Tab title="OIDC" icon="bolt">
        <Steps>
          <Step title="Register an application in Azure" icon="circle-plus">
            Sign in to the [Azure portal](https://entra.microsoft.com) and navigate to **Microsoft Entra ID → App registrations**.

            <Frame caption="App registrations page">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_oidc/azure-oidc-app-registrations.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=5f18364c0f7dcec13eb3133323654bc0" alt="Azure Default Directory App registrations page with no applications registered and a Register an application button." width="1919" height="917" data-path="images/sso/azure_oidc/azure-oidc-app-registrations.png" />
            </Frame>

            Configure the registration:

            * **Name**: `Orq.ai` (or preferred name)
            * **Supported account types**: select based on the organization's needs
            * **Redirect URI**: select **Web** and enter:
              ```
              https://my.orq.ai/v2/auth/sso/oidc/callback
              ```

            Click **Register**.

            <Frame caption="Register an application">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_oidc/azure-oidc-register-application.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=619040402bb71986a5265f87dadedb7b" alt="Register an application page with Name set to orq.ai, single-tenant account type selected, and Redirect URI set to https://my.orq.ai/v2/auth/sso/oidc/callback." width="1912" height="927" data-path="images/sso/azure_oidc/azure-oidc-register-application.png" />
            </Frame>
          </Step>

          <Step title="Gather credentials" icon="key">
            **Get the Client ID:**

            From the app registration **Overview** page, copy the **Application (client) ID**: this is the **Client ID** for **Orq.ai**.

            <Frame caption="Application overview with Client ID">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_oidc/azure-oidc-app-overview.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=f268171e1a3d68455a434f275c06da83" alt="Azure orq.ai application overview showing the Application ID and Tenant ID in the Essentials section." width="1909" height="919" data-path="images/sso/azure_oidc/azure-oidc-app-overview.png" />
            </Frame>

            **Create a Client Secret:**

            Go to **Certificates & secrets → Client secrets → New client secret**.

            Add a description (e.g., `Orq.ai SSO`), select an expiration period, and click **Add**.

            <Frame caption="Add a client secret">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_oidc/azure-oidc-add-client-secret.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=7980c3ee477a599ed1ed06985ce3b44b" alt="Certificates and secrets page with the Add a client secret panel open, showing Description set to orq.ai SSO and Expires set to 730 days." width="1914" height="923" data-path="images/sso/azure_oidc/azure-oidc-add-client-secret.png" />
            </Frame>

            <Warning>
              **Copy the secret value immediately.** Azure only displays it once. If lost, generate a new secret.
            </Warning>

            Copy the **Value** field: this is the **Client Secret** for **Orq.ai**.

            <Frame caption="Client secret created">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_oidc/azure-oidc-client-secret-created.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=2c633c33856ed88df13032e2515507a3" alt="Certificates and secrets page showing the newly created orq.ai SSO client secret with its expiry date." width="1919" height="922" data-path="images/sso/azure_oidc/azure-oidc-client-secret-created.png" />
            </Frame>
          </Step>

          <Step title="Get the Provider URL" icon="link">
            The Provider URL is the tenant's issuer URL:

            ```
            https://login.microsoftonline.com/{tenant-id}/v2.0
            ```

            Replace `{tenant-id}` with the **Directory (tenant) ID**, found on the app registration overview page.

            <Frame caption="Application overview">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_oidc/azure-oidc-app-overview.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=f268171e1a3d68455a434f275c06da83" alt="Azure orq.ai application overview showing the Application ID and Tenant ID in the Essentials section." width="1909" height="919" data-path="images/sso/azure_oidc/azure-oidc-app-overview.png" />
            </Frame>
          </Step>

          <Step title="Configure API permissions" icon="shield-check">
            Go to **API permissions** and ensure these Microsoft Graph permissions are granted:

            * `openid`
            * `email`
            * `profile`

            <Frame caption="Request API permissions">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_oidc/azure-oidc-api-permissions-request.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=1a8de110e1ce9c9a1aadc0d6f3a4e087" alt="Azure API permissions page with the Request API permissions panel open, showing Microsoft Graph delegated permissions including email, openid, profile, and User.Read." width="1907" height="929" data-path="images/sso/azure_oidc/azure-oidc-api-permissions-request.png" />
            </Frame>

            Click **Grant admin consent** if required by the organization.

            <Frame caption="Configured API permissions">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_oidc/azure-oidc-api-permissions-configured.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=06ba91debadbf584dd767c556e06e5dc" alt="Azure API permissions page showing configured Microsoft Graph delegated permissions: email, openid, profile, and User.Read." width="1920" height="923" data-path="images/sso/azure_oidc/azure-oidc-api-permissions-configured.png" />
            </Frame>

            <Note>
              **Orq.ai** automatically requests the `User.Read` scope to retrieve user email addresses when the standard OIDC `email` claim is not available.
            </Note>
          </Step>

          <Step title="Configure in Orq.ai" icon="circle-check">
            Navigate to **AI Studio** → **Organization** → **Auth**.

            Enter the credentials collected from Azure:

            1. Select **OIDC** (selected by default)
            2. Enter the **Client ID**
            3. Enter the **Client Secret**
            4. Enter the **Provider URL**
            5. Enter the organization's email domain(s) in **Allowed domains** (e.g., `acme.com`)
            6. Click **Activate**

            <Frame caption="OIDC configuration form">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/configure-oidc.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=993b6152eef3ae82c9f00a65a6e4024b" alt="Configure Single Sign-On panel with OIDC selected for Microsoft Entra ID, showing fields for Client ID, Client Secret, Provider URL, and Allowed domains." width="3416" height="1946" data-path="images/sso/platform_config/configure-oidc.png" />
            </Frame>
          </Step>

          <Step title="Test the login" icon="party-horn">
            SSO is now configured. Users can sign in at:

            ```
            https://my.orq.ai/{your-workspace-key}/login
            ```

            <Frame caption="SSO login">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/sso_login/sso-login-agnostic.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1b7337671332e0411a92b2963185452c" alt="Orq.ai login page showing the Continue with SSO button after configuring Microsoft Entra ID OIDC." width="1901" height="992" data-path="images/sso/sso_login/sso-login-agnostic.png" />
            </Frame>
          </Step>
        </Steps>
      </Tab>

      <Tab title="SAML" icon="shield">
        <Steps>
          <Step title="Define the SP Entity ID" icon="fingerprint">
            Choose a unique identifier for the Service Provider Entity ID. We recommend:

            ```
            urn:orq.ai:{your-workspace-key}
            ```

            For example, if the workspace key is `acme-corp`, use `urn:orq.ai:acme-corp`.

            <Tip>
              The SP Entity ID must match exactly in both Azure and **Orq.ai**. Write it down; it is needed in multiple steps.
            </Tip>
          </Step>

          <Step title="Create an enterprise application in Azure" icon="circle-plus">
            In the [Azure portal](https://entra.microsoft.com), go to **Microsoft Entra ID → Enterprise applications → New application**.

            <Frame caption="Enterprise applications page">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/azure_saml/azure-saml-enterprise-applications.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=34f9cbac55194b9c67412c3ccdc897b8" alt="Azure Enterprise applications page showing no applications found with a New application button." width="1910" height="912" data-path="images/sso/azure_saml/azure-saml-enterprise-applications.png" />
            </Frame>

            Click <kbd className="key">Create your own application</kbd>, name it (e.g. `Orq.ai SSO`), select **Integrate any other application you don't find in the gallery (Non-gallery)**, and click <kbd className="key">Create</kbd>.

            <Frame caption="Create your own application">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/azure_saml/azure-saml-create-own-application.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=a2db1cc55f7a47d8e496174b6b73bde1" alt="Azure Browse Microsoft Entra App Gallery page with the Create your own application panel showing a Name field and integration type options." width="1918" height="935" data-path="images/sso/azure_saml/azure-saml-create-own-application.png" />
            </Frame>

            <Frame caption="Application overview">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_saml/azure-saml-app-overview.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=86c3cc4caf2901cf75835b9999bf721b" alt="Azure orq.ai Enterprise Application Overview showing Application ID, Object ID, and Getting Started steps for setup." width="1919" height="926" data-path="images/sso/azure_saml/azure-saml-app-overview.png" />
            </Frame>
          </Step>

          <Step title="Configure SAML" icon="shield">
            In the application, go to **Single sign-on** and select **SAML**.

            <Frame caption="Select single sign-on method">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/azure_saml/azure-saml-select-method.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=1d30a67998aa18b29c26fb8ba331e0cd" alt="Azure Single sign-on method selection page for orq.ai showing options: Disabled, SAML, Password-based, and Linked." width="1913" height="916" data-path="images/sso/azure_saml/azure-saml-select-method.png" />
            </Frame>

            Under **Basic SAML Configuration**, click **Edit** and set:

            * **Identifier (Entity ID)**: the SP Entity ID defined in Step 1
            * **Reply URL (ACS URL)**:
              ```
              https://my.orq.ai/v2/auth/sso/saml/callback
              ```
            * **Sign on URL**:
              ```
              https://my.orq.ai/{your-workspace-key}/login
              ```

            Click **Save**.

            <Frame caption="Basic SAML Configuration">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_saml/azure-saml-basic-configuration-saved.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=d008f99cfa740074f6c2d0b1ca31ff31" alt="Azure SAML-based Sign-on page for orq.ai showing Basic SAML Configuration with Identifier, Reply URL, Sign on URL, and a token signing certificate." width="1905" height="921" data-path="images/sso/azure_saml/azure-saml-basic-configuration-saved.png" />
            </Frame>
          </Step>

          <Step title="Configure attributes and claims" icon="tags">
            Click **Edit** on **Attributes & Claims**.

            Verify or add these claim mappings:

            | Short name     | Full claim URI                                                       | Source attribute |
            | -------------- | -------------------------------------------------------------------- | ---------------- |
            | `emailaddress` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | `user.mail`      |
            | `givenname`    | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`    | `user.givenname` |
            | `surname`      | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`      | `user.surname`   |

            <Frame caption="Email claim mapping">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_saml/azure-saml-claim-emailaddress.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=c19f731576f565c891bd2b2b6ab65a33" alt="Manage claim page with Name set to emailaddress and Source attribute set to user.mail." width="1914" height="922" data-path="images/sso/azure_saml/azure-saml-claim-emailaddress.png" />
            </Frame>

            <Frame caption="First name claim mapping">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_saml/azure-saml-claim-givenname.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=6dc48e1164cea7af7a9af4eb57034f9d" alt="Manage claim page with Name set to givenname and Source attribute set to user.givenname." width="1915" height="926" data-path="images/sso/azure_saml/azure-saml-claim-givenname.png" />
            </Frame>

            <Frame caption="Last name claim mapping">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_saml/azure-saml-claim-surname.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=106180024e911d5e6a68135cd7dbbb72" alt="Manage claim page with Name set to surname and Source attribute set to user.surname." width="1909" height="922" data-path="images/sso/azure_saml/azure-saml-claim-surname.png" />
            </Frame>

            <Frame caption="Claims overview">
              <img src="https://mintcdn.com/orqai/Wn8ERdoXUsqhmPIP/images/sso/azure_saml/azure-saml-claims-overview.png?fit=max&auto=format&n=Wn8ERdoXUsqhmPIP&q=85&s=a49a51d26bcf6aeb0f7a72a9dc4ec10c" alt="Attributes and Claims page showing the required Unique User Identifier claim and additional claims for emailaddress, givenname, and surname mapped to user attributes." width="1904" height="929" data-path="images/sso/azure_saml/azure-saml-claims-overview.png" />
            </Frame>

            <Note>
              **Orq.ai** supports both standard attribute names and full Microsoft Entra ID claim URIs (e.g., `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`). The default Entra ID claim mappings work out of the box.
            </Note>
          </Step>

          <Step title="Gather credentials" icon="key">
            On the SAML configuration page, collect these values:

            **From the "Set up" section:**

            * **Login URL**: use as the **Single Sign-On URL** in **Orq.ai**
            * **Microsoft Entra Identifier**: use as the **Identity Provider Entity ID** in **Orq.ai**

            **From the "SAML Certificates" section:**

            * Click **Download** next to **Certificate (Base64)** and save the file

            <Frame caption="SAML credentials">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/azure_saml/azure-saml-collect-values.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=8ffca2d811330e219e841ba8f8354694" alt="Azure SAML-based Sign-on page showing SAML Certificates with the App Federation Metadata URL and Set up orq.ai section with Login URL and Microsoft Entra Identifier." width="1900" height="909" data-path="images/sso/azure_saml/azure-saml-collect-values.png" />
            </Frame>
          </Step>

          <Step title="Assign users and groups" icon="users">
            Go to **Users and groups** (left menu) and click **Add user/group**.

            Select the users or groups that should have access to **Orq.ai**, then click <kbd className="key">Assign</kbd>.

            <Frame caption="Assign users and groups">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/azure_saml/azure-saml-users-and-groups.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=db6818e55691fb7b5f150132452961d1" alt="Azure orq.ai Users and groups page showing no application assignments with an Add user/group button." width="1909" height="920" data-path="images/sso/azure_saml/azure-saml-users-and-groups.png" />
            </Frame>

            <Note>
              By default, any user in the directory can authenticate. Assigning specific users or groups restricts access.
            </Note>
          </Step>

          <Step title="Configure in Orq.ai" icon="circle-check">
            Navigate to **AI Studio** → **Organization** → **Auth**.

            Enter the credentials collected from Azure:

            1. Select **SAML**
            2. Enter the **Service Provider Entity ID** (from Step 1)
            3. Enter the **Identity Provider Entity ID** (Microsoft Entra Identifier from Azure)
            4. Enter the **Single Sign-On URL** (Login URL from Azure)
            5. For **X.509 Certificate**: open the downloaded certificate file in a text editor, copy all content including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines, and paste it here
            6. Enter the organization's email domain(s) in **Allowed domains** (e.g., `orq.ai`)
            7. Click **Activate**

            <Frame caption="SAML configuration form">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/configure-saml.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=25560cd3f596a598af67cbdf52e4a365" alt="Configure Single Sign-On panel with SAML selected for Microsoft Entra ID, showing fields for Service Provider Entity ID, Identity Provider Entity ID, Single Sign-On URL, X.509 Certificate, and Allowed domains." width="3416" height="1946" data-path="images/sso/platform_config/configure-saml.png" />
            </Frame>
          </Step>

          <Step title="Test the login" icon="party-horn">
            SSO is now configured. Users can sign in at:

            ```
            https://my.orq.ai/{your-workspace-key}/login
            ```

            <Frame caption="SSO login">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/sso_login/sso-login-agnostic.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1b7337671332e0411a92b2963185452c" alt="Orq.ai login page showing the Continue with SSO button after configuring Microsoft Entra ID SAML." width="1901" height="992" data-path="images/sso/sso_login/sso-login-agnostic.png" />
            </Frame>
          </Step>
        </Steps>
      </Tab>
    </Tabs>
  </Accordion>

  <Accordion title="Keycloak" icon="https://mintcdn.com/orqai/apdBV0S0bHg71CI1/images/logos/keycloak.svg?fit=max&auto=format&n=apdBV0S0bHg71CI1&q=85&s=336d70ff06889d618aba5197a2287f6d" width="24" height="24" data-path="images/logos/keycloak.svg">
    <Tabs>
      <Tab title="OIDC" icon="bolt">
        <Steps>
          <Step title="Choose or create a realm" icon="globe">
            Log in to the **Keycloak admin console**. From the realm dropdown (top-left), select an existing realm or click **Create realm**. Note the realm name; it is needed for the Provider URL.

            <Note>
              Keycloak may update their admin console interface over time. Refer to [Keycloak's official documentation](https://www.keycloak.org/documentation) if any steps differ.
            </Note>
          </Step>

          <Step title="Create a new client" icon="circle-plus">
            In the chosen realm, navigate to **Clients** and click **Create client**.

            <Frame caption="Keycloak Clients page">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_oidc/keycloak-oidc-clients-page.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=be3e02b0133234a4ada678fb4fd1d972" alt="Keycloak Clients page showing the list of clients with a Create client button." width="1505" height="804" data-path="images/sso/keycloak_oidc/keycloak-oidc-clients-page.png" />
            </Frame>

            Configure the General Settings:

            | Field           | Value                              |
            | --------------- | ---------------------------------- |
            | **Client type** | `OpenID Connect`                   |
            | **Client ID**   | `orq-ai` (or preferred identifier) |
            | **Name**        | `orq.ai` (optional display name)   |

            Click **Next**.

            <Frame caption="General settings">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_oidc/keycloak-oidc-general-settings.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=e62d3a16c8792676191d3808de48545b" alt="Keycloak Create client General Settings form showing Client type set to OpenID Connect and Client ID set to orq-ai." width="1689" height="874" data-path="images/sso/keycloak_oidc/keycloak-oidc-general-settings.png" />
            </Frame>
          </Step>

          <Step title="Configure capability config" icon="sliders">
            Enable the following:

            | Field                     | Value |
            | ------------------------- | ----- |
            | **Client authentication** | `On`  |
            | **Standard flow**         | `On`  |

            Leave **Direct access grants**, **Implicit flow**, and **Service accounts roles** off unless the organization requires them. Click **Next**.

            <Frame caption="Capability config">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_oidc/keycloak-oidc-capability-config.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=06b972b8509cd60471017f00cd58f3a8" alt="Keycloak capability config step showing Client authentication On and Standard flow On." width="1620" height="888" data-path="images/sso/keycloak_oidc/keycloak-oidc-capability-config.png" />
            </Frame>
          </Step>

          <Step title="Configure login settings" icon="link">
            Enter the following:

            | Field                   | Value                                         |
            | ----------------------- | --------------------------------------------- |
            | **Valid redirect URIs** | `https://my.orq.ai/v2/auth/sso/oidc/callback` |
            | **Web origins**         | `https://my.orq.ai`                           |

            Click **Save**.

            <Frame caption="Login settings">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_oidc/keycloak-oidc-login-settings.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=bec83b8ac2e35479d1433344741e2ef8" alt="Keycloak Login settings form showing Valid redirect URIs and Web origins fields configured for orq.ai." width="1672" height="877" data-path="images/sso/keycloak_oidc/keycloak-oidc-login-settings.png" />
            </Frame>
          </Step>

          <Step title="Collect the Client Secret" icon="key">
            Open the client just created, go to the **Credentials** tab, and copy the **Client Secret**.

            <Frame caption="Credentials tab">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_oidc/keycloak-oidc-client-secret.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=6bf0f397f9ac62247f3135c5c8184e46" alt="Keycloak Credentials tab showing the Client Secret field with a Copy button." width="1738" height="850" data-path="images/sso/keycloak_oidc/keycloak-oidc-client-secret.png" />
            </Frame>
          </Step>

          <Step title="Collect configuration values" icon="clipboard-list">
            The OIDC Issuer URL follows this pattern:

            ```
            https://{your-keycloak-domain}/realms/{realm-name}
            ```

            For example, with Keycloak at `https://auth.example.com` and realm `orq-prod`:

            ```
            https://auth.example.com/realms/orq-prod
            ```

            <Tip>
              Verify the Provider URL by visiting `{issuer-url}/.well-known/openid-configuration` in a browser; it should return a JSON discovery document.
            </Tip>

            | Field             | Where to Find                                        |
            | ----------------- | ---------------------------------------------------- |
            | **Client ID**     | The Client ID entered in Step 2                      |
            | **Client Secret** | Copied from the **Credentials** tab                  |
            | **Provider URL**  | `https://{your-keycloak-domain}/realms/{realm-name}` |
          </Step>

          <Step title="Assign users" icon="users">
            Any user in the realm can sign in by default. To restrict access, configure client-level roles and assign them:

            1. Open the client → **Roles** tab → create roles as needed
            2. Open **Users** → select user → **Role mappings** → assign the client roles

            <Frame caption="Assign roles to users">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_oidc/keycloak-oidc-assign-users.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=86350034edafee066268b87af4feb3b0" alt="Keycloak user role mappings page showing client roles being assigned to a user." width="1694" height="808" data-path="images/sso/keycloak_oidc/keycloak-oidc-assign-users.png" />
            </Frame>
          </Step>

          <Step title="Configure in Orq.ai" icon="circle-check">
            Navigate to **AI Studio** → **Organization** → **Auth**.

            1. Select **OIDC**
            2. Enter the **Client ID**
            3. Enter the **Client Secret**
            4. Enter the **Provider URL** (the Issuer URL from Keycloak)
            5. Enter the organization's email domain(s) in **Allowed domains**
            6. Click **Activate**

            <Frame caption="OIDC configuration form">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/configure-oidc.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=993b6152eef3ae82c9f00a65a6e4024b" alt="Configure Single Sign-On panel with OIDC selected for Keycloak, showing fields for Client ID, Client Secret, Provider URL, and Allowed domains." width="3416" height="1946" data-path="images/sso/platform_config/configure-oidc.png" />
            </Frame>
          </Step>

          <Step title="Test the login" icon="party-horn">
            SSO is now configured. Users can sign in at:

            ```
            https://my.orq.ai/{your-workspace-key}/login
            ```

            <Frame caption="SSO login">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/sso_login/sso-login-agnostic.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1b7337671332e0411a92b2963185452c" alt="Orq.ai login page showing the Continue with SSO button after configuring Keycloak OIDC." width="1901" height="992" data-path="images/sso/sso_login/sso-login-agnostic.png" />
            </Frame>
          </Step>
        </Steps>
      </Tab>

      <Tab title="SAML" icon="shield">
        <Steps>
          <Step title="Define the SP Entity ID" icon="fingerprint">
            Choose a unique identifier for the SP Entity ID. It must match exactly in both **Keycloak** and **Orq.ai**. We recommend:

            ```
            urn:orq.ai:{your-workspace-key}
            ```

            For example: `urn:orq.ai:example-corp`.

            <Tip>
              Write it down; it is needed in multiple steps.
            </Tip>
          </Step>

          <Step title="Choose or create a realm" icon="globe">
            Log in to the **Keycloak admin console**. From the realm dropdown (top-left), select an existing realm or click **Create realm**. Note the realm name.

            <Note>
              Keycloak may update their admin console interface over time. Refer to [Keycloak's official documentation](https://www.keycloak.org/documentation) if any steps differ.
            </Note>
          </Step>

          <Step title="Create a new SAML client" icon="circle-plus">
            In the chosen realm, navigate to **Clients** and click **Create client**.

            <Frame caption="Keycloak Clients page">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_oidc/keycloak-oidc-clients-page.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=be3e02b0133234a4ada678fb4fd1d972" alt="Keycloak Clients page showing the list of active clients with a Create client button, accessed the same way for SAML client creation." width="1505" height="804" data-path="images/sso/keycloak_oidc/keycloak-oidc-clients-page.png" />
            </Frame>

            Configure the General Settings:

            | Field           | Value                                                          |
            | --------------- | -------------------------------------------------------------- |
            | **Client type** | `SAML`                                                         |
            | **Client ID**   | The SP Entity ID from Step 1 (e.g., `urn:orq.ai:example-corp`) |
            | **Name**        | `orq.ai` (optional display name)                               |

            Click **Next**.

            <Frame caption="General settings">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_saml/keycloak-saml-general-settings.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=5fb338b7506cdef5ad0625d25897d9cd" alt="Keycloak Create SAML client General Settings form showing Client type set to SAML and Client ID set to the SP Entity ID." width="1676" height="884" data-path="images/sso/keycloak_saml/keycloak-saml-general-settings.png" />
            </Frame>
          </Step>

          <Step title="Configure login settings" icon="link">
            Enter the following:

            | Field                          | Value                                         |
            | ------------------------------ | --------------------------------------------- |
            | **Valid redirect URIs**        | `https://my.orq.ai/v2/auth/sso/saml/callback` |
            | **Master SAML Processing URL** | `https://my.orq.ai/v2/auth/sso/saml/callback` |

            Click **Save**.

            <Frame caption="Login settings">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_saml/keycloak-saml-login-settings.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=7df2ddad168035a038680598f48cff5c" alt="Keycloak SAML client Login settings form showing Valid redirect URIs and Master SAML Processing URL." width="1668" height="876" data-path="images/sso/keycloak_saml/keycloak-saml-login-settings.png" />
            </Frame>
          </Step>

          <Step title="Configure SAML signing" icon="shield">
            Open the client → **Settings** tab. Scroll to **SAML capabilities** and **Signature and Encryption** sections.

            Set the following:

            | Field               | Value   |
            | ------------------- | ------- |
            | **Sign assertions** | `On`    |
            | **Sign documents**  | `On`    |
            | **Name ID format**  | `email` |

            Click **Save**.

            <Frame caption="SAML signing settings">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_saml/keycloak-saml-signing-settings.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=da99b82f57f8b81716cd56472386808a" alt="Keycloak SAML client Settings tab showing Sign assertions and Sign documents enabled." width="1398" height="668" data-path="images/sso/keycloak_saml/keycloak-saml-signing-settings.png" />
            </Frame>

            <Frame caption="SAML signing settings continued">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_saml/keycloak-saml-signing-settings2.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1f9f28a854929bb6696287d06e47c5ca" alt="Keycloak SAML client Settings tab showing Name ID format set to email." width="1380" height="669" data-path="images/sso/keycloak_saml/keycloak-saml-signing-settings2.png" />
            </Frame>
          </Step>

          <Step title="Disable client signature requirement" icon="key">
            Open the client → **Keys** tab.

            Under **Signing keys config**, set:

            | Field                         | Value |
            | ----------------------------- | ----- |
            | **Client signature required** | `Off` |

            Under **Encryption keys config**, confirm:

            | Field                  | Value |
            | ---------------------- | ----- |
            | **Encrypt assertions** | `Off` |

            <Frame caption="Keys tab configuration">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_saml/keycloak-saml-keys-tab.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=5ac3c41dfa5dbbbf7814d2cf46a7d839" alt="Keycloak SAML client Keys tab showing Client signature required set to Off and Encrypt assertions set to Off." width="1717" height="871" data-path="images/sso/keycloak_saml/keycloak-saml-keys-tab.png" />
            </Frame>

            <Warning>
              `Client signature required` defaults to **On** in Keycloak: turn it **Off**. **Orq.ai** does not sign outbound SAML AuthnRequests, so leaving this on causes Keycloak to reject every login attempt.

              `Encrypt assertions` must remain **Off**. **Orq.ai** does not decrypt assertions.
            </Warning>
          </Step>

          <Step title="Configure SAML attribute mappers" icon="tags">
            A new Keycloak SAML client only sends the NameID and role list by default, not email, first name, or last name. Add mappers so **Orq.ai** can populate the user profile.

            1. Open the client → **Client scopes** tab
            2. Click the dedicated scope row (named `{client-id}-dedicated`)
            3. Open the **Mappers** tab inside that scope

            **Option A (recommended): Add predefined X500 mappers**

            1. Click **Add predefined mapper**
            2. Select these three rows:
               * `X500 email`
               * `X500 givenName`
               * `X500 surname`
            3. Click **Add**

            <Frame caption="Predefined X500 mappers added to the dedicated scope">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_saml/keycloak-saml-mappers.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=180caa709249da1dec2b8fe08a08d4da" alt="Keycloak dedicated client scope Mappers tab showing X500 email, givenName, and surname mappers added." width="1732" height="825" data-path="images/sso/keycloak_saml/keycloak-saml-mappers.png" />
            </Frame>

            <Frame caption="Mapper detail view">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_saml/keycloak-saml-mappers2.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=fdbec91ffde4899385dce8478d5b651d" alt="Keycloak mapper detail showing X500 email mapper configured with SAML Attribute Name and NameFormat." width="1667" height="812" data-path="images/sso/keycloak_saml/keycloak-saml-mappers2.png" />
            </Frame>

            **Option B: Configure custom mappers with simple names**

            Click **Configure a new mapper**, select **User Property**, and create three mappers:

            | Mapper      | Property    | SAML Attribute Name | NameFormat |
            | ----------- | ----------- | ------------------- | ---------- |
            | `email`     | `email`     | `email`             | `Basic`    |
            | `firstName` | `firstName` | `firstName`         | `Basic`    |
            | `lastName`  | `lastName`  | `lastName`          | `Basic`    |
          </Step>

          <Step title="Download the realm signing certificate" icon="certificate">
            1. In the left navigation, click **Realm settings**
            2. Open the **Keys** tab → **Keys list** sub-tab
            3. Find the row where **Algorithm = `RS256`**, **Type = `RSA`**, **Use = `SIG`**
            4. In the **Public keys** column, click **Certificate**
            5. Copy the entire base64 value from the modal

            <Frame caption="Realm settings Keys tab, Certificate modal">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/keycloak_saml/keycloak-saml-realm-keys.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=ba709f2ea7d2d7443930b4be2f3cefa3" alt="Keycloak Realm settings Keys tab showing the RS256 SIG key row with a Certificate button." width="1880" height="720" data-path="images/sso/keycloak_saml/keycloak-saml-realm-keys.png" />
            </Frame>

            <Tip>
              **Orq.ai** accepts the certificate as raw base64 or PEM-wrapped with `-----BEGIN CERTIFICATE-----` / `-----END CERTIFICATE-----` markers. Pasting raw base64 directly works.
            </Tip>
          </Step>

          <Step title="Collect configuration values" icon="clipboard-list">
            The SAML endpoints follow these patterns:

            | Field                           | Pattern                                                            |
            | ------------------------------- | ------------------------------------------------------------------ |
            | **Identity Provider Entity ID** | `https://{your-keycloak-domain}/realms/{realm-name}`               |
            | **Single Sign-On URL**          | `https://{your-keycloak-domain}/realms/{realm-name}/protocol/saml` |

            For example with Keycloak at `https://auth.example.com` and realm `orq-prod`:

            * IdP Entity ID: `https://auth.example.com/realms/orq-prod`
            * SSO URL: `https://auth.example.com/realms/orq-prod/protocol/saml`
          </Step>

          <Step title="Configure in Orq.ai" icon="circle-check">
            Navigate to **AI Studio** → **Organization** → **Auth**.

            1. Select **SAML**
            2. Enter the **Service Provider Entity ID** (from Step 1)
            3. Enter the **Identity Provider Entity ID**
            4. Enter the **Single Sign-On URL**
            5. Paste the **X.509 Certificate** copied from Realm settings
            6. Enter the organization's email domain(s) in **Allowed domains**
            7. Click **Activate**

            <Frame caption="SAML configuration form">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/configure-saml.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=25560cd3f596a598af67cbdf52e4a365" alt="Configure Single Sign-On panel with SAML selected for Keycloak, showing fields for Service Provider Entity ID, Identity Provider Entity ID, Single Sign-On URL, X.509 Certificate, and Allowed domains." width="3416" height="1946" data-path="images/sso/platform_config/configure-saml.png" />
            </Frame>
          </Step>

          <Step title="Test the login" icon="party-horn">
            SSO is now configured. Users can sign in at:

            ```
            https://my.orq.ai/{your-workspace-key}/login
            ```

            <Frame caption="SSO login">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/sso_login/sso-login-agnostic.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1b7337671332e0411a92b2963185452c" alt="Orq.ai login page showing the Continue with SSO button after configuring Keycloak SAML." width="1901" height="992" data-path="images/sso/sso_login/sso-login-agnostic.png" />
            </Frame>
          </Step>
        </Steps>
      </Tab>
    </Tabs>
  </Accordion>

  <Accordion title="Authentik" icon="https://mintcdn.com/orqai/apdBV0S0bHg71CI1/images/logos/authentik.svg?fit=max&auto=format&n=apdBV0S0bHg71CI1&q=85&s=7a3cd3dc495b3cd527ba4808b78f4d05" width="1000" height="1000" data-path="images/logos/authentik.svg">
    <Tabs>
      <Tab title="OIDC" icon="bolt">
        <Steps>
          <Step title="Create a new provider" icon="circle-plus">
            Log in to the **Authentik admin interface** and navigate to **Applications → Providers**.

            <Frame caption="Authentik Providers page">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_oidc/authentik-oidc-providers-page.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=7b975e86231129ea4be9a18b59e4a282" alt="Authentik Providers page showing the list of providers with a Create button." width="1489" height="777" data-path="images/sso/authentik_oidc/authentik-oidc-providers-page.png" />
            </Frame>

            Click **Create**, select **OAuth2/OpenID Provider**, and click **Next**.

            <Frame caption="Select provider type">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_oidc/authentik-oidc-select-provider-type.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1c34287f5a2954c50f72a442c06f1f85" alt="Authentik provider type selection showing OAuth2/OpenID Provider highlighted." width="1628" height="870" data-path="images/sso/authentik_oidc/authentik-oidc-select-provider-type.png" />
            </Frame>

            <Note>
              Authentik may update their admin interface over time. Refer to [Authentik's official documentation](https://docs.goauthentik.io/) if any steps differ.
            </Note>
          </Step>

          <Step title="Configure provider settings and collect credentials" icon="sliders">
            Enter the following values:

            | Field                       | Value                                                       |
            | --------------------------- | ----------------------------------------------------------- |
            | **Name**                    | `orq.ai` (or preferred name)                                |
            | **Authorization flow**      | `default-provider-authorization-implicit-consent`           |
            | **Client type**             | `Confidential`                                              |
            | **Redirect URIs / Origins** | `https://my.orq.ai/v2/auth/sso/oidc/callback` (Strict mode) |

            <Warning>
              Authentik pre-generates the **Client ID** and **Client Secret** inside this form. Copy both values now; they are needed to configure **Orq.ai** in the final step.
            </Warning>

            <Frame caption="Configure OAuth2/OpenID provider">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_oidc/authentik-oidc-configure-provider.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=23b0ced08aa538a3408bfc2a09f9ed51" alt="Authentik OAuth2/OpenID provider configuration form showing the Client ID, Client Secret, and Redirect URI fields." width="1658" height="888" data-path="images/sso/authentik_oidc/authentik-oidc-configure-provider.png" />
            </Frame>

            Click **Finish**.
          </Step>

          <Step title="Create an application" icon="browser">
            Navigate to **Applications → Applications** and click **Create**.

            <Frame caption="Authentik Applications page">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_oidc/authentik-oidc-applications-page.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=cd4f9381ea2a7e3368e086a8b638bb98" alt="Authentik Applications page showing the list of applications with a Create button." width="1461" height="826" data-path="images/sso/authentik_oidc/authentik-oidc-applications-page.png" />
            </Frame>

            Enter the following:

            | Field        | Value                                        |
            | ------------ | -------------------------------------------- |
            | **Name**     | `orq.ai`                                     |
            | **Slug**     | `orq-ai` (becomes part of the Issuer URL)    |
            | **Provider** | The OAuth2/OpenID provider created in Step 1 |

            Click **Create**.

            <Frame caption="Create application">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_oidc/authentik-oidc-create-application.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=99a7251c182500c87d7392cc754774a9" alt="Authentik Create application form showing Name, Slug, and Provider fields." width="1517" height="920" data-path="images/sso/authentik_oidc/authentik-oidc-create-application.png" />
            </Frame>
          </Step>

          <Step title="Get the Provider URL" icon="link">
            The OIDC Issuer URL follows this pattern:

            ```
            https://{your-authentik-domain}/application/o/{application-slug}/
            ```

            For example, with Authentik at `https://auth.example.com` and slug `orq-ai`:

            ```
            https://auth.example.com/application/o/orq-ai/
            ```

            <Warning>
              The trailing slash on the Issuer URL is required. Authentik's discovery endpoint fails without it.
            </Warning>
          </Step>

          <Step title="Assign users" icon="users">
            Open the application, go to the **Policy / Group / User Bindings** tab, and add a binding for the users or groups that should have access.

            <Frame caption="User bindings">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_oidc/authentik-oidc-user-bindings.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=7a81bd658121d8d93641bf7f645a8c7e" alt="Authentik application Policy/Group/User Bindings tab showing a binding added for a user group." width="1879" height="879" data-path="images/sso/authentik_oidc/authentik-oidc-user-bindings.png" />
            </Frame>

            <Note>
              If no bindings are configured, every authenticated Authentik user can access the application. If a binding excludes the user, Authentik shows `Request has been denied. Unknown error` on sign-in.
            </Note>
          </Step>

          <Step title="Configure in Orq.ai" icon="circle-check">
            Navigate to **AI Studio** → **Organization** → **Auth**.

            1. Select **OIDC**
            2. Enter the **Client ID** (copied in Step 2)
            3. Enter the **Client Secret** (copied in Step 2)
            4. Enter the **Provider URL** (the Issuer URL from Authentik, with trailing slash)
            5. Enter the organization's email domain(s) in **Allowed domains**
            6. Click **Activate**

            <Frame caption="OIDC configuration form">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/configure-oidc.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=993b6152eef3ae82c9f00a65a6e4024b" alt="Configure Single Sign-On panel with OIDC selected for Authentik, showing fields for Client ID, Client Secret, Provider URL, and Allowed domains." width="3416" height="1946" data-path="images/sso/platform_config/configure-oidc.png" />
            </Frame>
          </Step>

          <Step title="Test the login" icon="party-horn">
            SSO is now configured. Users can sign in at:

            ```
            https://my.orq.ai/{your-workspace-key}/login
            ```

            <Frame caption="SSO login">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/sso_login/sso-login-agnostic.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1b7337671332e0411a92b2963185452c" alt="Orq.ai login page showing the Continue with SSO button after configuring Authentik OIDC." width="1901" height="992" data-path="images/sso/sso_login/sso-login-agnostic.png" />
            </Frame>
          </Step>
        </Steps>
      </Tab>

      <Tab title="SAML" icon="shield">
        <Steps>
          <Step title="Define the SP Entity ID" icon="fingerprint">
            Choose a unique identifier for the SP Entity ID. It must match exactly in both **Authentik** and **Orq.ai**. Recommended format:

            ```
            urn:orq.ai:{your-workspace-key}
            ```

            For example: `urn:orq.ai:example-corp`.

            <Tip>
              Write it down; it is needed in multiple steps.
            </Tip>
          </Step>

          <Step title="Create a new SAML provider" icon="circle-plus">
            Log in to the **Authentik admin interface** and navigate to **Applications → Providers**.

            <Frame caption="Authentik Providers page">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_oidc/authentik-oidc-providers-page.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=7b975e86231129ea4be9a18b59e4a282" alt="Authentik Providers page listing active providers with a Create button, shown at the start of SAML provider setup." width="1489" height="777" data-path="images/sso/authentik_oidc/authentik-oidc-providers-page.png" />
            </Frame>

            Click **Create**, select **SAML Provider**, and click **Next**.

            <Frame caption="Select provider type">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_saml/authentik-saml-select-provider-type.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=0e91b2e71ba40ceb5f7922dd8e2b7911" alt="Authentik provider type selection showing SAML Provider highlighted." width="1512" height="928" data-path="images/sso/authentik_saml/authentik-saml-select-provider-type.png" />
            </Frame>

            <Note>
              Authentik may update their admin interface over time. Refer to [Authentik's official documentation](https://docs.goauthentik.io/) if any steps differ.
            </Note>
          </Step>

          <Step title="Configure SAML provider settings" icon="sliders">
            Fill in the main form fields:

            | Field                        | Value                                                          |
            | ---------------------------- | -------------------------------------------------------------- |
            | **Name**                     | `orq.ai` (or preferred name)                                   |
            | **Authorization flow**       | `default-provider-authorization-implicit-consent`              |
            | **ACS URL**                  | `https://my.orq.ai/v2/auth/sso/saml/callback`                  |
            | **Issuer**                   | `authentik` (default) or a descriptive identifier              |
            | **Service Provider Binding** | `Post`                                                         |
            | **Audience**                 | The SP Entity ID from Step 1 (e.g., `urn:orq.ai:example-corp`) |

            Expand **Advanced protocol settings** and configure:

            | Field                        | Value                               |
            | ---------------------------- | ----------------------------------- |
            | **Signing Certificate**      | `authentik Self-signed Certificate` |
            | **Sign assertions**          | `On`                                |
            | **Sign responses**           | `On`                                |
            | **Verification Certificate** | Leave empty                         |
            | **Encryption Certificate**   | Leave empty                         |

            <Warning>
              **Sign assertions** must be `On`. Even with the Signing Certificate pre-populated, Authentik will not sign assertions (and omits `<md:KeyDescriptor>` from metadata) unless this toggle is enabled. **Orq.ai** rejects unsigned assertions.
            </Warning>

            <Frame caption="Configure SAML provider settings">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_saml/authentik-saml-configure-provider.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=8bb1006c0d723a0ccc4d0b8efac09b45" alt="Authentik SAML provider configuration form showing ACS URL, Issuer, Audience, and signing settings." width="1511" height="890" data-path="images/sso/authentik_saml/authentik-saml-configure-provider.png" />
            </Frame>

            Click **Finish**.
          </Step>

          <Step title="Create an application" icon="browser">
            Navigate to **Applications → Applications** and click **Create**.

            <Frame caption="Authentik Applications page">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_oidc/authentik-oidc-applications-page.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=cd4f9381ea2a7e3368e086a8b638bb98" alt="Authentik Applications page listing active applications with a Create button, shown during SAML application creation." width="1461" height="826" data-path="images/sso/authentik_oidc/authentik-oidc-applications-page.png" />
            </Frame>

            Enter the following:

            | Field        | Value                                       |
            | ------------ | ------------------------------------------- |
            | **Name**     | `orq.ai`                                    |
            | **Slug**     | `orq-ai-saml` (becomes part of the SSO URL) |
            | **Provider** | The SAML provider created in Step 2         |

            Click **Create**.

            <Frame caption="Create application">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_saml/authentik-saml-create-application.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=7abe9fa0e0195ca048fe9528d0fec7af" alt="Authentik Create application form showing Name, Slug, and Provider fields linked to the SAML provider." width="1516" height="936" data-path="images/sso/authentik_saml/authentik-saml-create-application.png" />
            </Frame>
          </Step>

          <Step title="Collect the SSO URL and certificate" icon="key">
            Open **Applications → Providers** and click the SAML provider. In the **SAML Configuration** section:

            * Copy the **EntityID/Issuer**: this is the Identity Provider Entity ID
            * Copy the **SSO URL (Redirect)**: use the **Redirect** binding URL, not the Post one

            The Redirect SSO URL follows this pattern:

            ```
            https://{your-authentik-domain}/application/saml/{application-slug}/sso/binding/redirect/
            ```

            <Warning>
              **Orq.ai** issues the SAML AuthnRequest via HTTP-Redirect binding. Using the `/binding/post/` endpoint results in `Bad Request: The SAML request payload is missing`. Always use the Redirect URL.
            </Warning>

            In the **Related objects** section, click **Download signing certificate** to save the PEM file.

            <Frame caption="SAML provider overview">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_saml/authentik-saml-overview.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=c17f7c2a75ffe094d11f3adbd581cc8c" alt="Authentik SAML provider overview showing SAML Configuration section with EntityID, SSO URLs, and a Download signing certificate button." width="1681" height="931" data-path="images/sso/authentik_saml/authentik-saml-overview.png" />
            </Frame>

            <Note>
              The **Download signing certificate** button only appears after selecting a Signing Certificate and enabling Sign assertions in Step 3. If not visible, edit the provider and complete the Advanced protocol settings first.
            </Note>
          </Step>

          <Step title="Assign users" icon="users">
            Open the application, go to the **Policy / Group / User Bindings** tab, and add a binding for the users or groups that should have access.

            <Frame caption="User bindings">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/authentik_oidc/authentik-oidc-user-bindings.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=7a81bd658121d8d93641bf7f645a8c7e" alt="Authentik application Policy/Group/User Bindings tab showing a user group binding added for the SAML application." width="1879" height="879" data-path="images/sso/authentik_oidc/authentik-oidc-user-bindings.png" />
            </Frame>
          </Step>

          <Step title="Configure in Orq.ai" icon="circle-check">
            Navigate to **AI Studio** → **Organization** → **Auth**.

            1. Select **SAML**
            2. Enter the **Service Provider Entity ID** (from Step 1)
            3. Enter the **Identity Provider Entity ID** (the Issuer value from Authentik)
            4. Enter the **Single Sign-On URL** (the Redirect-binding SSO URL)
            5. Paste the certificate downloaded from Authentik
            6. Enter the organization's email domain(s) in **Allowed domains**
            7. Click **Activate**

            <Frame caption="SAML configuration form">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/configure-saml.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=25560cd3f596a598af67cbdf52e4a365" alt="Configure Single Sign-On panel with SAML selected for Authentik, showing fields for Service Provider Entity ID, Identity Provider Entity ID, Single Sign-On URL, X.509 Certificate, and Allowed domains." width="3416" height="1946" data-path="images/sso/platform_config/configure-saml.png" />
            </Frame>
          </Step>

          <Step title="Test the login" icon="party-horn">
            SSO is now configured. Users can sign in at:

            ```
            https://my.orq.ai/{your-workspace-key}/login
            ```

            <Frame caption="SSO login">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/sso_login/sso-login-agnostic.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1b7337671332e0411a92b2963185452c" alt="Orq.ai login page showing the Continue with SSO button after configuring Authentik SAML." width="1901" height="992" data-path="images/sso/sso_login/sso-login-agnostic.png" />
            </Frame>
          </Step>
        </Steps>
      </Tab>
    </Tabs>
  </Accordion>

  <Accordion title="Other providers" icon="plug">
    <Tabs>
      <Tab title="OIDC" icon="bolt">
        **Orq.ai** works with any standards-compliant OIDC 1.0 identity provider (Auth0, Google Workspace, JumpCloud, OneLogin, Ping Identity, Duo, Rippling, Authelia, Zitadel, and others).

        **What Orq.ai requires from the IdP**

        **Orq.ai** acts as an OIDC Relying Party using the Authorization Code flow:

        | Requirement                    | Value                                                         |
        | ------------------------------ | ------------------------------------------------------------- |
        | **Flow**                       | Authorization Code (with or without PKCE)                     |
        | **Application type**           | Web application / Confidential client                         |
        | **Grant type**                 | `authorization_code`                                          |
        | **Token endpoint auth method** | `client_secret_post` or `client_secret_basic`                 |
        | **Discovery**                  | `{issuer}/.well-known/openid-configuration` must be reachable |

        <Steps>
          <Step title="Register Orq.ai as an application" icon="circle-plus">
            In the IdP's admin interface, register a new web application with:

            | Field                                   | Value                                         |
            | --------------------------------------- | --------------------------------------------- |
            | **Application type**                    | Web application (confidential client)         |
            | **Grant type / Flow**                   | Authorization Code                            |
            | **Redirect URI**                        | `https://my.orq.ai/v2/auth/sso/oidc/callback` |
            | **Post-logout redirect URI** (optional) | `https://my.orq.ai`                           |
            | **Allowed scopes**                      | `openid`, `email`, `profile`                  |

            Grant the IdP's equivalent of admin consent if required.
          </Step>

          <Step title="Configure required claims" icon="tags">
            **Orq.ai** expects the ID token or `/userinfo` endpoint to return:

            | Claim            | Required?   | Description                 |
            | ---------------- | ----------- | --------------------------- |
            | `sub`            | Required    | Stable user identifier      |
            | `email`          | Required    | User's email address        |
            | `email_verified` | Recommended | Marks the email as verified |
            | `given_name`     | Recommended | First name                  |
            | `family_name`    | Recommended | Last name                   |
            | `name`           | Recommended | Full display name           |

            Most IdPs return these automatically when the `profile` and `email` scopes are granted. If the IdP requires manual claim mapping, map user-directory fields to the names above.
          </Step>

          <Step title="Collect configuration values" icon="key">
            | Field             | Where to Find                                                                     |
            | ----------------- | --------------------------------------------------------------------------------- |
            | **Client ID**     | Provided by the IdP after registration                                            |
            | **Client Secret** | Generated by the IdP; copy immediately                                            |
            | **Provider URL**  | Base URL whose `/.well-known/openid-configuration` returns the discovery document |

            <Tip>
              Verify the Provider URL by visiting `{issuer-url}/.well-known/openid-configuration` in a browser. It must return a JSON document containing `authorization_endpoint`, `token_endpoint`, `jwks_uri`, and `issuer`. The `issuer` field in that JSON must match exactly the URL entered in **Orq.ai**.
            </Tip>
          </Step>

          <Step title="Assign users" icon="users">
            Use the IdP's standard user/group assignment to grant access to the **Orq.ai** application.
          </Step>

          <Step title="Configure in Orq.ai" icon="circle-check">
            Navigate to **AI Studio** → **Organization** → **Auth**:

            1. Select **OIDC**
            2. Enter the **Client ID**
            3. Enter the **Client Secret**
            4. Enter the **Provider URL** (the Issuer URL from the IdP)
            5. Enter the organization's email domain(s) in **Allowed domains**
            6. Click **Activate**

            <Frame caption="OIDC configuration form">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/configure-oidc.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=993b6152eef3ae82c9f00a65a6e4024b" alt="Configure Single Sign-On panel with OIDC selected for a generic identity provider, showing fields for Client ID, Client Secret, Provider URL, and Allowed domains." width="3416" height="1946" data-path="images/sso/platform_config/configure-oidc.png" />
            </Frame>
          </Step>

          <Step title="Test the login" icon="party-horn">
            Open a private browser window and navigate to `https://my.orq.ai`. The SSO login button will appear automatically.

            <Frame caption="SSO login page">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/sso_login/sso-login-agnostic.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1b7337671332e0411a92b2963185452c" alt="Orq.ai login page showing the Continue with SSO button after configuring an OIDC provider." width="1901" height="992" data-path="images/sso/sso_login/sso-login-agnostic.png" />
            </Frame>
          </Step>
        </Steps>
      </Tab>

      <Tab title="SAML" icon="shield">
        **Orq.ai** works with any standards-compliant SAML 2.0 identity provider.

        **What Orq.ai requires from the IdP**

        | Requirement                         | Value                                                    |
        | ----------------------------------- | -------------------------------------------------------- |
        | **SP-initiated SSO**                | Required                                                 |
        | **AuthnRequest binding (SP → IdP)** | HTTP-Redirect                                            |
        | **Response binding (IdP → SP)**     | HTTP-POST to the ACS URL                                 |
        | **NameID format**                   | `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` |
        | **Assertion signing**               | Required: RSA-SHA256                                     |
        | **AuthnRequest signing**            | Not required                                             |
        | **Assertion encryption**            | Not supported; leave disabled                            |

        <Steps>
          <Step title="Define the SP Entity ID" icon="fingerprint">
            Choose a unique identifier that must match exactly in both the IdP and **Orq.ai**. We recommend:

            ```
            urn:orq.ai:{your-workspace-key}
            ```
          </Step>

          <Step title="Register Orq.ai as a SAML application" icon="circle-plus">
            In the IdP's admin interface, create a SAML 2.0 application with:

            | IdP Field (common names)    | Value                                         |
            | --------------------------- | --------------------------------------------- |
            | **Audience / SP Entity ID** | The SP Entity ID from Step 1                  |
            | **ACS URL / Reply URL**     | `https://my.orq.ai/v2/auth/sso/saml/callback` |
            | **NameID format**           | `EmailAddress`                                |
            | **NameID source attribute** | The user's email address                      |
          </Step>

          <Step title="Configure signing" icon="shield">
            | Setting                         | Value         |
            | ------------------------------- | ------------- |
            | **Sign assertion**              | On (required) |
            | **Signature algorithm**         | `RSA-SHA256`  |
            | **Require signed AuthnRequest** | Off           |
            | **Encrypt assertion**           | Off           |
          </Step>

          <Step title="Configure attribute mappings" icon="tags">
            **Orq.ai** accepts a wide range of attribute name variants:

            | Canonical   | Also accepted                                                                                                                     |
            | ----------- | --------------------------------------------------------------------------------------------------------------------------------- |
            | `email`     | `emailAddress`, `mail`, `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`, `urn:oid:0.9.2342.19200300.100.1.3` |
            | `firstName` | `givenName`, `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`, `urn:oid:2.5.4.42`                                |
            | `lastName`  | `familyName`, `surname`, `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`, `urn:oid:2.5.4.4`                       |

            <Warning>
              Many IdPs do not send name and email attributes by default. After registering the application, explicitly add attribute mappers / claim rules / attribute statements in the IdP before the assertion will contain anything **Orq.ai** can read.
            </Warning>
          </Step>

          <Step title="Collect configuration values" icon="key">
            | orq.ai Field                    | Common IdP Label(s)                                                        |
            | ------------------------------- | -------------------------------------------------------------------------- |
            | **Identity Provider Entity ID** | `Issuer`, `IdP Entity ID`, `Microsoft Entra Identifier`, `entityID`        |
            | **Single Sign-On URL**          | `SSO URL`, `Sign-on URL`, `Login URL`, `SingleSignOnService Location`      |
            | **X.509 Certificate**           | `Signing Certificate`, `Token Signing Certificate`, `Certificate (Base64)` |

            <Tip>
              If the IdP provides a SAML metadata XML file or URL, the IdP Entity ID, SSO URL, and certificate are all embedded inside. Use the `HTTP-Redirect` binding URL for the SSO URL.
            </Tip>
          </Step>

          <Step title="Configure in Orq.ai" icon="circle-check">
            Navigate to **AI Studio** → **Organization** → **Auth**:

            1. Select **SAML**
            2. Enter the **Service Provider Entity ID**
            3. Enter the **Identity Provider Entity ID**
            4. Enter the **Single Sign-On URL** (HTTP-Redirect endpoint)
            5. Paste the **X.509 Certificate**
            6. Enter the organization's email domain(s) in **Allowed domains**
            7. Click **Activate**

            <Frame caption="SAML configuration form">
              <img src="https://mintcdn.com/orqai/eESPCIDoKN-2_GOT/images/sso/platform_config/configure-saml.png?fit=max&auto=format&n=eESPCIDoKN-2_GOT&q=85&s=25560cd3f596a598af67cbdf52e4a365" alt="Configure Single Sign-On panel with SAML selected for a generic identity provider, showing fields for Service Provider Entity ID, Identity Provider Entity ID, Single Sign-On URL, X.509 Certificate, and Allowed domains." width="3416" height="1946" data-path="images/sso/platform_config/configure-saml.png" />
            </Frame>
          </Step>

          <Step title="Test the login" icon="party-horn">
            Open a private browser window and navigate to `https://my.orq.ai`. The SSO login button will appear automatically.

            <Frame caption="SSO login page">
              <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/sso_login/sso-login-agnostic.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1b7337671332e0411a92b2963185452c" alt="Orq.ai login page showing the Continue with SSO button after configuring a SAML provider." width="1901" height="992" data-path="images/sso/sso_login/sso-login-agnostic.png" />
            </Frame>
          </Step>
        </Steps>
      </Tab>
    </Tabs>
  </Accordion>
</AccordionGroup>

### Edit a connection

1. Click the <Icon icon="ellipsis" /> menu on the active SSO connection
2. Click **Edit**
3. Update the desired fields
4. Click **Save Changes**

<Frame caption="Edit provider button">
  <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/platform_config/edit-provider.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=409f3da4347226169fd4db060984a812" alt="Orq.ai SSO configuration page showing the three-dot menu open on an active connection with an Edit option." width="1679" height="993" data-path="images/sso/platform_config/edit-provider.png" />
</Frame>

<Tip>
  To switch protocols (OIDC to SAML or vice versa), **Orq.ai** confirms the switch and presents an empty form; the two configurations differ entirely. The active connection remains unchanged until **Save Changes** is clicked. Cancel to preserve the current configuration.
</Tip>

<Frame caption="Edit configuration: switch protocol">
  <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/platform_config/edit-sso-change-protocol.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=4ad99484b7e39355b792d01e1d3298fd" alt="Orq.ai SSO edit dialog showing a confirmation prompt when switching from OIDC to SAML protocol." width="1681" height="993" data-path="images/sso/platform_config/edit-sso-change-protocol.png" />
</Frame>

<Note>
  The **Certificate** and **Client Secret** fields are blank in the edit form; they update only when a new value is provided and **Save Changes** is clicked.
</Note>

## Testing

Before rolling out to the entire organization:

1. Test the configuration with a single user
2. Verify the user is created automatically in **Orq.ai** (if auto-provisioning is enabled)
3. Confirm the user's profile information (name, email) is correct

Users sign in at:

```
https://my.orq.ai/{your-workspace-key}/login
```

<Frame caption="SSO login">
  <img src="https://mintcdn.com/orqai/3prGSMBQVxQFUZZt/images/sso/sso_login/sso-login-agnostic.png?fit=max&auto=format&n=3prGSMBQVxQFUZZt&q=85&s=1b7337671332e0411a92b2963185452c" alt="Orq.ai login page showing a Continue with SSO provider button that loads when an active SSO connection is configured." width="1901" height="992" data-path="images/sso/sso_login/sso-login-agnostic.png" />
</Frame>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Redirect URI mismatch" icon="link-slash">
    **Error:** "redirect\_uri\_mismatch" or "Invalid redirect URI"

    **Solution:** Verify the callback URL in the IdP exactly matches:

    * **OIDC:** `https://my.orq.ai/v2/auth/sso/oidc/callback`
    * **SAML:** `https://my.orq.ai/v2/auth/sso/saml/callback`

    Common mistakes: extra slash at end, `http://` instead of `https://`, typo in URL.
  </Accordion>

  <Accordion title="Entity ID mismatch (SAML)" icon="fingerprint">
    **Error:** "Audience restriction" or "Invalid audience"

    **Solution:** Verify the SP Entity ID matches exactly in both the IdP and **Orq.ai** configuration. It is case-sensitive.
  </Accordion>

  <Accordion title="Invalid client secret (OIDC)" icon="key">
    **Error:** "invalid\_client" or "unauthorized\_client"

    **Solution:** Regenerate the client secret in the IdP and update it in **Orq.ai**. Copy the secret immediately after creation.
  </Accordion>

  <Accordion title="User not assigned" icon="user-slash">
    **Symptom:** User cannot see the app or gets "access denied"

    **Solution:**

    * **Okta:** Go to application → Assignments and assign the user or their group
    * **Azure:** Go to Enterprise application → Users and groups → Add user/group
    * **Keycloak:** Open the client → Roles tab, create roles, and assign them to the user under Role mappings
    * **Authentik:** Open the application → Policy / Group / User Bindings and add a binding
  </Accordion>

  <Accordion title="Certificate expired (SAML)" icon="certificate">
    **Symptom:** SAML authentication suddenly stops working

    **Solution:**

    1. Download a new certificate from the IdP
    2. Update the certificate in **Orq.ai** (AI Studio → Organization → Auth → Edit)
    3. Click **Save Changes**
  </Accordion>

  <Accordion title="Email domain not allowed" icon="envelope">
    **Error:** "Email domain not allowed"

    **Solution:** Add the user's email domain to **Allowed domains** in the **Orq.ai** SSO configuration. Separate multiple domains with commas (e.g., `acme.com, acme.io`).
  </Accordion>

  <Accordion title="Missing email claim (Azure OIDC)" icon="at">
    **Symptom:** Authentication succeeds but user has no email

    **Solution:** **Orq.ai** automatically requests the `User.Read` Microsoft Graph scope. Verify this permission is granted:

    1. Go to API permissions in the app registration
    2. Verify `User.Read` is present
    3. Click "Grant admin consent" if needed
  </Accordion>

  <Accordion title="Invalid signature or login bounces back (Keycloak SAML)" icon="shield-xmark">
    **Error:** "Invalid signature on document" or login redirects back to Keycloak

    **Solution:** The SAML client's **Client signature required** (Keys tab) is `On`. Turn it `Off`; **Orq.ai** does not sign outbound AuthnRequests.
  </Accordion>

  <Accordion title="Missing name or email in Orq.ai profile (Keycloak/Authentik SAML)" icon="user">
    **Symptom:** User signs in but first name, last name, or email are missing in **Orq.ai**

    **Solution:** The SAML client has no attribute mappers. For **Keycloak**, add X500 predefined mappers to the dedicated client scope. For **Authentik**, ensure Sign assertions is `On` in the provider's Advanced protocol settings.
  </Accordion>

  <Accordion title="SAML request payload missing (Authentik)" icon="envelope-open">
    **Error:** "Bad Request: The SAML request payload is missing"

    **Solution:** The SSO URL points at `/binding/post/`. Switch to the `/binding/redirect/` URL; **Orq.ai** sends AuthnRequests via HTTP-Redirect.
  </Accordion>

  <Accordion title="HTTP issuer rejected" icon="triangle-exclamation">
    **Error:** Issuer URL rejected

    **Solution:** **Orq.ai** rejects `http://` issuers in production. The identity provider must be served over HTTPS.
  </Accordion>
</AccordionGroup>

### Need Help?

Contact [support@orq.ai](mailto:support@orq.ai) with:

* Workspace key
* Identity provider and protocol (e.g., "Keycloak SAML")
* Error message or screenshot
