All productsEnterprise SSO

    Close your next enterprise deal in an afternoon.

    SAML SSO that ships on day one. Every tenant points at their own IdP. No parallel auth stacks, no per-deal engineering, no checklist gymnastics.

    Each customer onboards their own IdP.

    One tenant, one config. Per-tenant metadata, per-tenant claims, per-tenant rollout — nothing shared, nothing mixed, nothing to explain on the security call.

    Tenants · 247
    Acme Corp
    acme.authaz.com
    Globex
    globex.authaz.com
    Initech
    initech.authaz.com
    Umbrella
    umbrella.authaz.com
    Hooli
    hooli.authaz.com
    Acme Corp — SAML 2.0
    connected · 12 users · last assertion 42s ago
    active
    IdP metadata
    https://login.acme.com/metadata.xml
    Entity ID
    https://acme.authaz.io/saml
    ACS URL
    https://app.acme.com/saml/callback
    Signature
    RSA-SHA256 · fp:4f:8a:b1:…
    Binding
    IdP- and SP-initiated
    Dry-run: signature ok
    Attributes mapped
    Save config
    Tenant config
    Per-tenant IdPs
    Metadata import
    Dry-run test
    Roll back

    From test tenant to full cutover in two days.

    Every SSO rollout has the same four steps. We built the admin around them so no one is guessing what happens next.

    Day 0
    Staging config
    Paste the IdP metadata URL, ACS URL is auto-resolved, and the tenant lights up in the admin.
    Day 0
    Dry-run test
    Simulate an assertion end-to-end. Signature, attributes, and claims verified before a real user signs in.
    Day 1
    Pilot cohort
    Enable SSO for 12 named users. Old login path stays live for the rest of the tenant.
    Day 2
    Full cutover
    Flip the tenant. 847 users move. One-line roll-back in the admin if anything misbehaves.
    Rollout

    Every assertion, verified and logged.

    Security's first question is always the same: who signed in, from which IdP, and did the signature match? One row away, immutable, filterable by tenant, exportable to your SIEM.

    filterall tenantsacmefailureslast 1hstreaming · 847 events / min
    time
    event
    actor
    tenant
    result
    17:42:11.204
    SAML.ASSERTION.VERIFIED
    val@acme.com
    acme
    ok
    17:42:11.202
    SESSION.CREATED
    val@acme.com
    acme
    ok
    17:41:58.117
    SAML.SIGNATURE.FAILED
    rod@globex.com
    globex
    deny
    17:41:44.556
    IDP.METADATA.REFRESHED
    acme
    ok
    17:41:31.100
    SAML.CONFIG.UPDATED
    admin@acme.com
    acme
    ok
    17:40:59.003
    SAML.ASSERTION.VERIFIED
    lee@acme.com
    acme
    ok
    17:40:41.788
    SESSION.REVOKED
    sam@initech.com
    initech
    ok
    Audit
    Immutable log
    Per-tenant filter
    SIEM export
    SOC 2 pack
    Pairs with

    SSO is one layer. Here's what goes with it.

    Multi-tenant Organizations
    Isolate each customer's config, members, and policies cleanly. SSO settings live inside the tenant, not in a shared table.
    Explore
    Multi-factor Authentication
    Step up after SSO for privileged actions. Federated identity plus in-app MFA, no conflicting policies.
    Explore
    RBAC & Permissions
    Scope what SSO users can do once they're in. Role mappings flow from the IdP claim, decisions flow from your policy.
    Explore

    Stop losing enterprise deals to SSO gaps.

    Enterprise SSO is included in every plan. Free up to 2,000 monthly active users.