Skip to main content

Overview

Verify Group supports:
ProtocolIdPsUse case
SAML 2.0Azure AD / Microsoft Entra, Okta, Google Workspace, OneLoginOrg-wide SSO, domain enforcement
OIDC FederationAzure AD, Okta, Auth0, KeycloakDelegated OIDC authentication

Azure AD (Microsoft Entra) — SAML setup

Step 1: Create the Enterprise Application

  1. In Azure Portal → Microsoft Entra ID → Enterprise Applications → + New application → Create your own application
  2. Select Integrate any other application you don’t find in the gallery

Step 2: Configure SAML

  1. Go to Single sign-on → SAML
  2. In Basic SAML Configuration set:
FieldValue
Identifier (Entity ID)https://gateway.verify-group.io/api/v1/auth/saml/{orgId}/metadata
Reply URL (ACS)https://gateway.verify-group.io/api/v1/auth/saml/{orgId}/callback
Sign-on URLhttps://gateway.verify-group.io/api/v1/auth/saml/{orgId}/login
  1. In SAML Signing Certificate download the Certificate (Base64) (.cer file)

Step 3: Configure VG via API

curl -X PUT https://gateway.verify-group.io/api/v1/auth/sso/$ORG_ID/config \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "protocol": "saml",
    "enabled": true,
    "samlIdpEntityId": "https://sts.windows.net/{tenant-id}/",
    "samlIdpSsoUrl": "https://login.microsoftonline.com/{tenant-id}/saml2",
    "samlIdpCertificate": "<base64-cert-without-pem-headers>",
    "attributeMapping": {
      "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
      "name": "http://schemas.microsoft.com/identity/claims/displayname"
    },
    "enforcedDomains": ["yourcompany.com"],
    "jitProvisioningEnabled": true,
    "defaultRoles": ["member"]
  }'

Step 4: Test login

Direct users to:
https://gateway.verify-group.io/api/v1/auth/saml/\{orgId\}/login

Okta — SAML setup

  1. In Okta Admin → Applications → Create App Integration → SAML 2.0
  2. Set the Single sign-on URL and Audience URI using the same values as above
  3. In Attribute Statements map:
    • emailuser.email
    • displayNameuser.displayName
  4. Download the IdP metadata XML to get the certificate
  5. Configure VG with the Okta IdP SSO URL and certificate

Domain enforcement

When enforcedDomains is set, users with those email domains will always be redirected to SSO login, even if they try to use a password.

Just-in-time (JIT) provisioning

When jitProvisioningEnabled: true, a Verify Group user account is automatically created on first SSO login using the email and name from the SAML/OIDC assertion.

Verify your configuration

curl https://gateway.verify-group.io/api/v1/auth/sso/$ORG_ID/config \
  -H "Authorization: Bearer $ACCESS_TOKEN"