Enterprise SSO - Configuration
π Enterprise SSO β Complete Configuration Guide
Enterprise Single Sign-On (SSO) allows your organization to authenticate users using your existing Identity Provider (IdP).
Users with your company domain can securely log in without creating separate passwords, and will automatically be assigned to the correct workspace.
This guide covers:
- Available SSO protocols
- OAuth 2.0 configuration
- SAML 2.0 configuration
- Default workspace assignment
- Domain verification (DNS)
- How login works
π Available SSO Protocols
You can configure Enterprise SSO using one of the following protocols:
1οΈβ£ OAuth 2.0 (OpenID Connect)
Recommended for modern Identity Providers.
Used by:
- Microsoft Entra ID
- Okta
- Custom OIDC providers
OAuth 2.0 relies on authorization flows and user info endpoints to retrieve user identity securely.
2οΈβ£ SAML 2.0
Widely used in enterprise environments.
SAML uses XML-based authentication assertions exchanged between your Identity Provider and Drimify.
Choose the protocol supported by your Identity Provider.
βοΈ Creating a New SSO Configuration
Go to:
Admin β Enterprise SSO β New Configuration
You will need to define:
- Configuration Name
- Email Domain
- SSO Protocol (OAuth 2.0 or SAML 2.0)
Once saved, domain verification will be required before enabling the SSO.
π Email Domain
Enter the domain associated with your organization.
Example:
company.com
Users logging in with @company.com will automatically be redirected to your SSO provider.
Only one SSO configuration can be active per domain.
π£ OAuth 2.0 Configuration
Select OAuth 2.0 as the SSO protocol.
You must create an OAuth / OpenID Connect application in your Identity Provider first.
π Redirect URI (Required in your IdP)
When creating the OAuth application, configure this Redirect URI:
https://my.drimify.com/en/sso/callback/oauth
This must match exactly.
π Client Credentials
Client ID
Public identifier provided by your Identity Provider.
Client Secret
Private key associated with your OAuth application. Keep it secure.
π OAuth Endpoints
Authorisation URL
Example:
https://example.com/oauth/connect
Where users are redirected to log in.
Access Token URL
Example:
https://example.com/oauth/token
Used to exchange the authorization code for an access token.
Resource Owner URL (User Info Endpoint)
Example:
https://example.com/oauth/userinfo
Returns user identity data after authentication.
π― Scopes
Enter scopes as a comma-separated list.
For standard OpenID Connect:
openid, profile, email
These allow access to:
- Unique user ID
- Email address
- First name
- Last name
π€ Attribute Mapping
Your Identity Provider returns user data in JSON format. You must define which fields correspond to required values.
ID Field
Example:
subEmail Field
Example:
emailFirst Name Field
Example:
given_nameLast Name Field
Example:
family_nameThese field names must match exactly what your Identity Provider returns.
π΅ SAML 2.0 Configuration
Select SAML 2.0 as the protocol.
You will need the following values from your Identity Provider:
Identity Provider Entity ID (Issuer URL)
Unique identifier of your Identity Provider.
Single Sign-On Service URL
The endpoint where authentication requests are sent.
Single Logout Service URL (Optional)
Endpoint used for single logout functionality.
X509 Certificate
Public certificate provided by your Identity Provider.
Used to validate SAML assertions.
Encryption X509 Certificate (Optional)
Used if your provider requires encrypted assertions.
Requested Authentication Context (Optional)
Defines the required authentication strength (e.g. MFA).
Leave disabled unless required by your provider.
π’ Service Provider Information
After saving your SAML configuration, Drimify will generate values required by your Identity Provider:
- Service Provider Entity ID (Metadata URL)
- Assertion Consumer Service (ACS URL)
- Single Logout Service (SLS URL)
These must be added to your Identity Provider configuration.
π’ Default Workspace Settings
Enterprise SSO allows automatic workspace assignment.
You must define:
Workspace
All users authenticating via this SSO will automatically join this workspace.
Default Department
Users will be assigned to this department.
Predefined Role
Defines the default permissions granted to new users created via this SSO.
This ensures proper access control from first login.
π Domain Verification (DNS Required)
After saving your SSO configuration, domain verification is mandatory.
To verify ownership:
- A DNS TXT record will be generated.
- Add the TXT record to your domainβs DNS settings.
- Click βVerify Domainβ inside the platform.
Example record:
- Type: TXT
- Host: company.com
- Value:
drimify-domain-verification=xxxxxxxxxxxxxxxx
β DNS propagation may take up to 48 hours.
SSO cannot be enabled until verification is successful.
π How Login Works
- User enters their email address.
- If the domain matches a configured SSO:
- They are automatically redirected to your Identity Provider.
- After successful authentication:
- They are redirected back to Drimify.
- If new, their account is created automatically.
- They are assigned to the configured workspace and role.
π§ͺ Testing Your SSO
Before enabling for all users:
- Test with a user from your domain
- Confirm email mapping works correctly
- Verify first and last names populate properly
- Test logout behavior
- Ensure redirect URI matches exactly
β Common Issues
SSO response did not include an email address
β Ensure the email scope is included (OAuth) or email attribute is mapped (SAML).
Invalid redirect URI
β Confirm it matches exactly:
https://my.drimify.com/en/sso/callback/oauth
Domain not verified
β Ensure DNS TXT record is correctly added and propagated.
π Security Recommendations
- Never expose your Client Secret.
- Use HTTPS-only endpoints.
- Restrict your IdP application to your organization.
- Regularly rotate credentials where possible.
Your Enterprise SSO is fully operational once:
- Configuration is saved
- Domain is verified
- SSO is enabled
Updated on: 02/03/2026
Thank you!