SSO & SCIM
SSO routes login through your identity provider (IdP) so you don’t manage Omniflow passwords. SCIM lets the IdP create, update, and deactivate Omniflow members automatically when people join, change roles, or leave the company.
Supported IdPs
| Provider | SAML | OIDC | SCIM |
|---|---|---|---|
| Okta | âś… | âś… | âś… |
| Azure AD / Entra ID | âś… | âś… | âś… |
| Google Workspace | âś… | âś… | âś… |
| OneLogin | âś… | âś… | âś… |
| JumpCloud | âś… | âś… | âś… |
| Generic SAML 2.0 | ✅ | — | — |
| Generic OIDC | — | ✅ | — |
Configure SAML SSO with Okta
Create the app in Okta
In Okta Admin → Applications → Create App Integration → SAML 2.0.
Get Omniflow metadata
In Omniflow → Settings → SSO & SCIM → SAML → Show metadata URL. Copy the URL.
Paste into Okta
Paste the metadata URL into Okta’s app config. This populates the SSO URL and audience automatically.
Map attributes
Map the Okta user attributes to Omniflow fields:
| Omniflow field | Okta attribute |
|---|---|
email | user.email |
firstName | user.firstName |
lastName | user.lastName |
groups | user.groups |
Assign users / groups
Decide who in Okta can sign in to Omniflow. Most teams assign by group.
Test sign-in
Use Okta’s “Sign in to Omniflow” tile. You should land in the workspace already logged in.
Configure OIDC SSO
OIDC is generally simpler than SAML — share a client ID, secret, and discovery URL.
- In your IdP, create an OIDC application.
- Set the redirect URI to
https://app.omniflow.example/auth/oidc/callback. - Get the client ID, secret, and issuer URL.
- Paste into Omniflow’s OIDC config.
- Test.
SCIM provisioning
SCIM keeps Omniflow’s member list in sync with your IdP automatically:
| Event in IdP | What Omniflow does |
|---|---|
| New user added to assigned group | Creates an Omniflow member, assigns role from group mapping. |
| User attribute changed | Updates the member. |
| User removed from group | Deactivates the member. |
| User reactivated | Restores the member with the same role. |
Enable SCIM
- In Omniflow → Settings → SSO & SCIM → SCIM → Generate token.
- Copy the token + base URL.
- In your IdP, enable provisioning, paste the token + URL.
- Run a test sync.
- Enable.
Group → role mapping
Map IdP groups to Omniflow roles:
Okta group: Omniflow role:
"Omniflow-Admins" → Admin
"Omniflow-Supervisors" → Supervisor
"Omniflow-Agents" → Agent
"Omniflow-Trainees" → TraineeMultiple groups → highest role wins.
Pair SCIM with Just-in-Time provisioning so the user is created on first sign-in if SCIM hasn’t synced them yet — useful during initial rollout.
Enforcement
| Setting | Notes |
|---|---|
| Require SSO for all users | Disables password login workspace-wide. |
| Require SSO for specific domains | Force @yourcompany.com users through SSO; allow others to use password. |
| Bypass for emergency admin | One designated admin can still password-login if SSO breaks. |
Always have an SSO-bypass break-glass admin. Configuring required-SSO without a bypass can lock your entire team out if your IdP has an outage.
Audit and troubleshooting
Common issues:
| Symptom | Cause |
|---|---|
| ”We couldn’t find your account” | SCIM hasn’t created the user; or user not assigned to the IdP app. |
| Loop redirect | Clock skew between IdP and Omniflow > 5 minutes. |
| Wrong role assigned | Group → role mapping needs adjustment. |
| Some users sign in, others don’t | App assignment in IdP is partial. |
The Settings → SSO → Audit log shows every SSO and SCIM event with the IdP’s response payload.
Open in Omniflow
Related
| If you want to… | Go to |
|---|---|
| Customize roles | Roles & Permissions |
| Manage members manually | Members & Teams |
| Audit access | Settings overview |