Single Sign-On (SSO)

Enable your users to access AxonFlow using their existing corporate credentials through federated authentication with your identity provider.

What is SSO?

Single Sign-On allows users to authenticate once with their identity provider and gain access to multiple applications, including AxonFlow, without re-entering credentials.

User → Identity Provider → AxonFlow
         (authenticate)     (access granted)

Benefits

For Users

• One login - Use existing corporate credentials
• No password fatigue - No separate AxonFlow password to remember
• Seamless experience - Click and access without authentication prompts

For Administrators

• Centralized control - Manage access from your identity provider
• Instant revocation - Disable IdP access, lose AxonFlow access
• MFA enforcement - Leverage your IdP's multi-factor authentication
• Compliance - Meet enterprise security requirements

Supported Providers

Provider	Status
Okta	Supported
Azure Active Directory (Entra ID)	Supported
OneLogin	Supported
Ping Identity	Supported
Google Workspace	Supported
JumpCloud	Supported

How It Works

1. User navigates to AxonFlow
2. AxonFlow redirects to your identity provider
3. User authenticates with IdP (including MFA if configured)
4. IdP sends authentication assertion to AxonFlow
5. AxonFlow creates session and grants access

┌──────────┐         ┌──────────┐         ┌──────────┐
│   User   │───1────▶│ AxonFlow │───2────▶│   IdP    │
│          │◀──5─────│          │◀──4─────│          │
└──────────┘         └──────────┘         └──────────┘
                                                │
                                                3
                                           (authenticate)

SSO Authentication Flow

The following diagram shows the detailed SSO authentication flow between the user, AxonFlow, and the identity provider:

┌──────────┐                ┌──────────┐                ┌──────────┐
│   User   │                │ AxonFlow │                │   IdP    │
└────┬─────┘                └────┬─────┘                └────┬─────┘
     │  1. Access AxonFlow       │                           │
     │──────────────────────────>│                           │
     │                           │  2. Redirect to IdP       │
     │                           │──────────────────────────>│
     │                           │                           │
     │  3. Login page shown      │                           │
     │<──────────────────────────────────────────────────────│
     │                           │                           │
     │  4. Enter credentials     │                           │
     │   (+ MFA if configured)   │                           │
     │──────────────────────────────────────────────────────>│
     │                           │                           │
     │                           │  5. SAML assertion /      │
     │                           │     OIDC token            │
     │                           │<──────────────────────────│
     │                           │                           │
     │                           │  6. Validate assertion,   │
     │                           │     create session        │
     │                           │                           │
     │  7. Access granted        │                           │
     │<──────────────────────────│                           │
     │                           │                           │

Troubleshooting

Common SSO issues and their resolutions:

Issue	Symptom	Resolution
Redirect loop	Browser loops between AxonFlow and IdP	Check that the ACS URL in your IdP matches the AxonFlow configuration exactly, including the protocol (https://).
403 after login	User authenticates but access is denied	Verify the user is assigned to the AxonFlow application in your IdP. Check group/role mapping.
Certificate error	SAML assertion signature validation fails	Ensure the IdP signing certificate in AxonFlow matches the current certificate from your IdP. See SAML Certificate Management.
Clock skew	Assertion expired or not yet valid	Ensure NTP is configured on both AxonFlow and IdP servers. SAML assertions have a short validity window (typically 5 minutes).
Attribute mapping	User email or name not populated	Check that your IdP sends the required attribute statements: email, firstName, lastName. Review the attribute mapping in AxonFlow admin settings.

Verify SSO configuration:

# Check SSO health endpoint
curl https://your-axonflow.example.com/auth/sso/health

# View SSO debug logs (Enterprise)
curl https://your-axonflow.example.com/auth/sso/debug \
  -H "Authorization: Bearer $ADMIN_TOKEN"

Enterprise Feature

Capability	Community	Enterprise
SSO via identity provider		✅
MFA enforcement via IdP		✅
Session management		✅
SSO audit logging		✅

Enterprise Feature

SSO is available exclusively with AxonFlow Enterprise. Contact sales to enable single sign-on for your organization.

Learn More

Enterprise customers can access detailed SSO documentation including:

• Step-by-step setup guides for each identity provider
• Configuration options and customization
• Troubleshooting guides

Access the Enterprise Documentation Portal for full implementation details.

Related

• SAML 2.0 - SAML-based authentication
• SCIM Provisioning - Automated user provisioning
• Identity Overview - Identity & Access overview