SSO Setup Guide
Single Sign-On (SSO) lets your organization authenticate through your existing identity provider (IdP) instead of individual passwords. SSO centralizes access control, simplifies onboarding, and strengthens security by leveraging your IdP's MFA and session policies.
SSO is available on Enterprise plans.
Supported Providers
Intentra supports two SSO protocols:
| Protocol | Use When | Examples |
|---|---|---|
| SAML 2.0 | Your IdP supports SAML (most common) | Okta, Azure AD / Entra ID, OneLogin, PingIdentity |
| OIDC | Your IdP provides OpenID Connect endpoints | Okta, Azure AD / Entra ID, Google Workspace, custom OIDC |
Both protocols are configured through the Settings > SSO page, accessible to organization admins.
SAML 2.0 Setup
Step 1: Create an Application in Your IdP
Okta
- In Okta Admin, go to Applications > Create App Integration
- Select SAML 2.0 and click Next
- Set the app name to "Intentra"
- Configure SAML settings:
- Single sign-on URL (ACS URL): This is provided in the Intentra SSO settings page after you begin configuration
- Audience URI (Entity ID): Also provided in the Intentra SSO settings page
- Name ID format:
EmailAddress - Application username:
Email
- Click Finish
- Copy the Metadata URL from the Sign On tab (or download the metadata XML)
Azure AD / Entra ID
- In Azure Portal, go to Enterprise Applications > New Application
- Click Create your own application, name it "Intentra", and select "Integrate any other application"
- Under Single sign-on, select SAML
- In Basic SAML Configuration:
- Identifier (Entity ID): Provided in Intentra SSO settings
- Reply URL (ACS URL): Provided in Intentra SSO settings
- Copy the App Federation Metadata Url from section 3
Step 2: Configure SSO in Intentra
- Go to Settings > SSO
- Select SAML 2.0 as the provider type
- Enter your email domain (e.g.,
acme.com) - Paste the SAML Metadata URL from your IdP
- Click Configure SSO
If your IdP does not provide a metadata URL, you can enter the Sign-in URL and X.509 Certificate manually.
Step 3: Test the Connection
Click Test Connection on the SSO settings page. Intentra will verify it can reach your IdP and validate the SAML response.
OIDC Setup
Step 1: Create an OIDC Application in Your IdP
- In your IdP, create a new Web Application with OIDC/OAuth 2.0
- Set the Redirect URI to the value shown in the Intentra SSO settings page
- Record the Issuer URL, Client ID, and Client Secret
Step 2: Configure SSO in Intentra
- Go to Settings > SSO
- Select OIDC as the provider type
- Enter your email domain
- Fill in:
- Issuer URL (e.g.,
https://your-idp.com/.well-known/openid-configuration) - Client ID
- Client Secret
- Issuer URL (e.g.,
- Click Configure SSO
Step 3: Test the Connection
Click Test Connection to verify the OIDC integration.
Testing the Connection
After configuration, use the Test Connection button to verify your setup. The test checks:
- Connectivity to your IdP
- Correct metadata/endpoint configuration
- Protocol-level compatibility
If the test fails, double-check the URLs and credentials you entered match what your IdP provides.
Domain Mapping and Auto-Join
When you configure SSO, you associate an email domain (e.g., acme.com) with your organization.
How Auto-Join Works
- New users: When someone with a matching email domain signs in through SSO for the first time, they are automatically added to your organization as a Viewer.
- Existing users: If someone already has an Intentra account and later signs in via your SSO, they are auto-joined to your organization. Their personal organization and data remain intact.
Domain Rules
- Each domain can only be claimed by one organization
- Public email domains (gmail.com, outlook.com, yahoo.com, etc.) cannot be used for SSO
- The domain must match the email addresses used by your team
What Admins See
During SSO configuration, Intentra shows how many existing users have email addresses matching your domain. You can view the full list in the Domain Users section of the SSO settings page.