Single Sign-On (SSO)
Enable your users to access AxonFlow using their existing corporate credentials through federated authentication with your identity provider.
What is SSO?
Single Sign-On allows users to authenticate once with their identity provider and gain access to multiple applications, including AxonFlow, without re-entering credentials.
User → Identity Provider → AxonFlow
(authenticate) (access granted)
Benefits
For Users
- One login - Use existing corporate credentials
- No password fatigue - No separate AxonFlow password to remember
- Seamless experience - Click and access without authentication prompts
For Administrators
- Centralized control - Manage access from your identity provider
- Instant revocation - Disable IdP access, lose AxonFlow access
- MFA enforcement - Leverage your IdP's multi-factor authentication
- Compliance - Meet enterprise security requirements
Supported Providers
| Provider | Status |
|---|---|
| Okta | Supported |
| Azure Active Directory (Entra ID) | Supported |
| OneLogin | Supported |
| Ping Identity | Supported |
| Google Workspace | Supported |
| JumpCloud | Supported |
How It Works
- User navigates to AxonFlow
- AxonFlow redirects to your identity provider
- User authenticates with IdP (including MFA if configured)
- IdP sends authentication assertion to AxonFlow
- AxonFlow creates session and grants access
┌──────────┐ ┌──────────┐ ┌──────────┐
│ User │───1────▶│ AxonFlow │───2────▶│ IdP │
│ │◀──5─────│ │◀──4─────│ │
└──────────┘ └──────────┘ └──────────┘
│
3
(authenticate)
SSO Authentication Flow
The following diagram shows the detailed SSO authentication flow between the user, AxonFlow, and the identity provider:
┌──────────┐ ┌──────────┐ ┌──────────┐
│ User │ │ AxonFlow │ │ IdP │
└────┬─────┘ └────┬─────┘ └────┬─────┘
│ 1. Access AxonFlow │ │
│──────────────────────────>│ │
│ │ 2. Redirect to IdP │
│ │──────────────────────────>│
│ │ │
│ 3. Login page shown │ │
│<──────────────────────────────────────────────────────│
│ │ │
│ 4. Enter credentials │ │
│ (+ MFA if configured) │ │
│──────────────────────────────────────────────────────>│
│ │ │
│ │ 5. SAML assertion / │
│ │ OIDC token │
│ │<──────────────────────────│
│ │ │
│ │ 6. Validate assertion, │
│ │ create session │
│ │ │
│ 7. Access granted │ │
│<──────────────────────────│ │
│ │ │
Troubleshooting
Common SSO issues and their resolutions:
| Issue | Symptom | Resolution |
|---|---|---|
| Redirect loop | Browser loops between AxonFlow and IdP | Check that the ACS URL in your IdP matches the AxonFlow configuration exactly, including the protocol (https://). |
| 403 after login | User authenticates but access is denied | Verify the user is assigned to the AxonFlow application in your IdP. Check group/role mapping. |
| Certificate error | SAML assertion signature validation fails | Ensure the IdP signing certificate in AxonFlow matches the current certificate from your IdP. See SAML Certificate Management. |
| Clock skew | Assertion expired or not yet valid | Ensure NTP is configured on both AxonFlow and IdP servers. SAML assertions have a short validity window (typically 5 minutes). |
| Attribute mapping | User email or name not populated | Check that your IdP sends the required attribute statements: email, firstName, lastName. Review the attribute mapping in AxonFlow admin settings. |
Verify SSO configuration:
# Check SSO health endpoint
curl https://your-axonflow.example.com/auth/sso/health
# View SSO debug logs (Enterprise)
curl https://your-axonflow.example.com/auth/sso/debug \
-H "Authorization: Bearer $ADMIN_TOKEN"
Enterprise Feature
| Capability | Community | Enterprise |
|---|---|---|
| SSO via identity provider | ✅ | |
| MFA enforcement via IdP | ✅ | |
| Session management | ✅ | |
| SSO audit logging | ✅ |
Enterprise Feature
SSO is available exclusively with AxonFlow Enterprise. Contact sales to enable single sign-on for your organization.
Import IdP Metadata from URL
The customer portal SSO settings page includes an "Import from URL" feature that fetches and parses SAML metadata from your identity provider's metadata URL. This is handled by a server-side endpoint to avoid CORS restrictions.
Endpoint: POST /api/v1/sso/fetch-metadata
This endpoint is available through the customer portal (not the agent gateway). It requires an authenticated portal session.
Request:
{
"metadata_url": "https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml"
}
Response:
{
"entity_id": "https://sts.windows.net/{tenant-id}/",
"sso_url": "https://login.microsoftonline.com/{tenant-id}/saml2",
"slo_url": "https://login.microsoftonline.com/{tenant-id}/saml2",
"certificate": "MIIC8DCCAdi...",
"provider_name": "azure_ad"
}
Response Fields:
| Field | Type | Required | Description |
|---|---|---|---|
entity_id | string | Yes | Identity Provider Entity ID from the SAML metadata |
sso_url | string | Yes | Single Sign-On URL (prefers HTTP-Redirect binding, falls back to HTTP-POST) |
slo_url | string | No | Single Logout URL (omitted if not present in metadata) |
certificate | string | No | X.509 signing certificate (omitted if not present) |
provider_name | string | No | Auto-detected provider name (see table below) |
Detected Providers:
provider_name value | Provider |
|---|---|
okta | Okta |
azure_ad | Azure Active Directory (Entra ID) |
google | Google Workspace |
onelogin | OneLogin |
auth0 | Auth0 |
pingfederate | Ping Identity / PingFederate |
custom_saml | Any other SAML provider |
Security:
- Only
https://metadata URLs are accepted (HTTP rejected with 400) - Private/loopback IP addresses are blocked (SSRF protection)
- Response size limited to 1MB
- Content-Type must be
application/xml,text/xml, orapplication/samlmetadata+xml - 10-second fetch timeout
- Max 5 redirects (all must be HTTPS)
- Rate limited to 5 requests per minute per session
Error Responses:
| HTTP Status | Scenario |
|---|---|
| 400 | Empty metadata_url, non-HTTPS URL, invalid XML, missing EntityDescriptor |
| 401 | Missing portal session |
| 413 | Metadata response exceeds 1MB size limit |
| 429 | Rate limit exceeded (5 requests per minute per session) |
| 502 | Failed to fetch metadata URL (network error or non-200 response from IdP) |
Learn More
Enterprise customers can access detailed SSO documentation including:
- Step-by-step setup guides for each identity provider
- Configuration options and customization
- Troubleshooting guides
Access the Enterprise Documentation Portal for full implementation details.
Related
- SAML 2.0 - SAML-based authentication
- SCIM Provisioning - Automated user provisioning
- Identity Overview - Identity & Access overview
