Overview
Verify Group supports:| Protocol | IdPs | Use case |
|---|---|---|
| SAML 2.0 | Azure AD / Microsoft Entra, Okta, Google Workspace, OneLogin | Org-wide SSO, domain enforcement |
| OIDC Federation | Azure AD, Okta, Auth0, Keycloak | Delegated OIDC authentication |
Azure AD (Microsoft Entra) — SAML setup
Step 1: Create the Enterprise Application
- In Azure Portal → Microsoft Entra ID → Enterprise Applications → + New application → Create your own application
- Select Integrate any other application you don’t find in the gallery
Step 2: Configure SAML
- Go to Single sign-on → SAML
- In Basic SAML Configuration set:
| Field | Value |
|---|---|
| Identifier (Entity ID) | https://gateway.verify-group.io/api/v1/auth/saml/{orgId}/metadata |
| Reply URL (ACS) | https://gateway.verify-group.io/api/v1/auth/saml/{orgId}/callback |
| Sign-on URL | https://gateway.verify-group.io/api/v1/auth/saml/{orgId}/login |
- In SAML Signing Certificate download the Certificate (Base64) (
.cerfile)
Step 3: Configure VG via API
Step 4: Test login
Direct users to:Okta — SAML setup
- In Okta Admin → Applications → Create App Integration → SAML 2.0
- Set the Single sign-on URL and Audience URI using the same values as above
- In Attribute Statements map:
email→user.emaildisplayName→user.displayName
- Download the IdP metadata XML to get the certificate
- Configure VG with the Okta IdP SSO URL and certificate
Domain enforcement
WhenenforcedDomains is set, users with those email domains will always be redirected to SSO login, even if they try to use a password.
Just-in-time (JIT) provisioning
WhenjitProvisioningEnabled: true, a Verify Group user account is automatically created on first SSO login using the email and name from the SAML/OIDC assertion.