TenantSSOProvider
Single Sign-On provider configuration for a tenant workspace, enabling SSO authentication through SAML, OIDC, OAuth, or other identity federation protocols. This entity stores the technical configuration required to integrate with external identity providers such as Azure AD, Google Workspace, Okta, Auth0, or custom SAML providers. It supports multiple SSO providers per tenant (for different user groups or migration scenarios), priority-based provider selection, and provider-specific metadata. The entity enables enterprise authentication where users authenticate through their corporate identity provider, eliminating password management and enabling centralized access control. It serves as the SSO integration layer for multi-tenant B2B SaaS platforms, supporting various authentication protocols and identity federation standards while maintaining tenant isolation.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| tenant | Tenant | stored | Reference to the Tenant this SSO provider configuration applies to | Required |
| providerType | string | stored | SSO protocol or provider type Values: Example: | Required |
| providerName | string | stored | Display name for this SSO provider (vendor-agnostic) Example: | Required |
| metadataUrl | string | stored | URL to SSO provider metadata (for SAML/OIDC discovery) Example: | Optional |
| entityId | string | stored | Entity ID or issuer identifier for SAML Example: | Optional |
| ssoUrl | string | stored | SSO login URL or redirect endpoint Example: | Optional |
| clientId | string | stored | OAuth/OIDC client identifier Example: | Optional |
| clientSecret | string | stored | Encrypted OAuth/OIDC client secret (encrypted at rest) Example: | Optional |
| certificate | string | stored | X.509 certificate for SAML signature verification (PEM format) | Optional |
| enabled | boolean | stored | Whether this SSO provider is currently enabled for the tenant Example: | Required |
| isPrimary | boolean | stored | Whether this is the primary/default SSO provider for the tenant Example: | Optional |
| priority | number | stored | Priority order for provider selection (lower number = higher priority) Example: | Optional |
| attributeMapping | json | stored | Mapping between SSO provider attributes and user profile fields Example: | Optional |
| metadata | json | stored | Additional provider-specific configuration and metadata | Optional |
Examples
Example 1
{
"@type": "TenantSSOProvider",
"tenant": {
"@type": "Tenant",
"slug": "acme-corp",
"name": "ACME Corporation"
},
"providerType": "saml",
"providerName": "Corporate SAML Provider",
"metadataUrl": "https://idp.acme.com/metadata",
"entityId": "https://idp.acme.com/saml",
"ssoUrl": "https://idp.acme.com/sso/login",
"enabled": true,
"isPrimary": true,
"priority": 1,
"attributeMapping": {
"email": "user.email",
"givenName": "user.firstName",
"familyName": "user.lastName"
}
}Example 2
{
"@type": "TenantSSOProvider",
"tenant": {
"@type": "Tenant",
"slug": "enterprise-client",
"name": "Enterprise Client"
},
"providerType": "oidc",
"providerName": "Azure Active Directory",
"metadataUrl": "https://login.microsoftonline.com/tenant-id/.well-known/openid-configuration",
"clientId": "client_xyz789",
"enabled": true,
"isPrimary": true,
"priority": 1
}