Single Sign-On (SSO)
NodeLoom supports SAML 2.0 and OpenID Connect for enterprise single sign-on. SSO lets your team authenticate through your existing identity provider, centralizing access control and simplifying user management.
Overview
Single sign-on allows your team members to log in to NodeLoom using their existing corporate credentials. Instead of managing separate passwords for NodeLoom, users authenticate through your identity provider (IdP) such as Okta, Azure AD, or Google Workspace.
NodeLoom supports two industry-standard SSO protocols. Both implementations include cryptographic signature verification, assertion replay protection, audience validation, and automatic key rotation handling to ensure authentication integrity.
| Protocol | Description | Best For |
|---|---|---|
| SAML 2.0 | XML-based protocol with robust enterprise support. Uses browser redirects and signed assertions for authentication. | Organizations using Okta, Azure AD, OneLogin, or ADFS |
| OpenID Connect | OAuth 2.0-based protocol using JSON tokens. Lightweight and developer-friendly with JWT-based authentication. | Organizations using Google Workspace, Auth0, or custom OAuth providers |
Prerequisites
Before configuring SSO, ensure the following requirements are met:
| Requirement | Details |
|---|---|
| Plan | SSO is available on Business and Enterprise plans. |
| Role | You must have the Admin role in your NodeLoom team to configure SSO. |
| Identity Provider | An active account with an identity provider that supports SAML 2.0 or OpenID Connect (Okta, Azure AD, Google Workspace, OneLogin, etc.). |
| Domain | A verified email domain is required before SSO enforcement can be enabled. |
Plan availability
SAML 2.0 Setup
Follow these steps to configure SAML 2.0 SSO between NodeLoom and your identity provider.
Get SP metadata from NodeLoom
Navigate to Settings → SSO → SAML Metadata to find your service provider (SP) metadata. You will need these values when creating the SAML application in your identity provider.
| Field | Example Value |
|---|---|
| Entity ID (Audience URI) | https://your-domain.com/api/sso/saml/{teamId}/metadata |
| ACS URL (Reply URL) | https://your-domain.com/api/sso/saml/{teamId}/acs |
| SLO URL (Logout URL) | https://your-domain.com/api/sso/saml/{teamId}/slo |
| NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Create a SAML application in your identity provider
Create a new SAML 2.0 application in your IdP and enter the SP metadata values from the previous step.
| Identity Provider | Steps |
|---|---|
| Okta | Applications > Create App Integration > SAML 2.0. Enter the Entity ID, ACS URL, and NameID format. Assign users or groups. |
| Azure AD | Enterprise Applications > New Application > Create your own application > Non-gallery. Set up single sign-on > SAML. Enter Identifier (Entity ID) and Reply URL (ACS URL). |
| OneLogin | Applications > Add App > SAML Custom Connector (Advanced). Enter Audience (Entity ID), ACS URL, and ACS URL Validator. |
Configure IdP details in NodeLoom
After creating the SAML application in your IdP, copy the following values back into NodeLoom at Settings → SSO → SAML Configuration.
{
"entityId": "https://idp.example.com/saml/metadata",
"ssoUrl": "https://idp.example.com/saml/sso",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIC...base64...\n-----END CERTIFICATE-----",
"signRequests": true,
"forceAuthn": false
}Configure attribute mapping
Ensure your IdP sends the required user attributes in the SAML assertion. NodeLoom expects the following attributes:
| NodeLoom Field | SAML Attribute |
|---|---|
email | urn:oid:0.9.2342.19200300.100.1.3 |
firstName | urn:oid:2.5.4.42 |
lastName | urn:oid:2.5.4.4 |
Friendly attribute names
email, firstName, and lastName in addition to OID-format names.Enable SSO
Once the configuration is saved and attribute mapping is verified, click Enable SSO in the NodeLoom SSO settings. Test the login flow by opening an incognito window and signing in with an assigned user before enforcing SSO for all team members.
OpenID Connect Setup
Follow these steps to configure OpenID Connect SSO between NodeLoom and your identity provider.
Create an OIDC application in your identity provider
Create a new OIDC (or OAuth 2.0) application in your IdP. Select Web Application as the application type and Authorization Code as the grant type.
| Identity Provider | Steps |
|---|---|
| Okta | Applications > Create App Integration > OIDC - OpenID Connect > Web Application. |
| Azure AD | App registrations > New registration > Web. Add redirect URI under Authentication. |
| Google Workspace | Google Cloud Console > APIs & Services > Credentials > Create OAuth Client ID > Web application. |
Set the redirect URI
Configure the following redirect URI in your IdP application settings. Replace your-domain.com with your NodeLoom instance domain and {teamId} with your team ID.
https://your-domain.com/api/sso/oidc/{teamId}/callbackConfigure OIDC details in NodeLoom
Navigate to Settings → SSO → OIDC Configuration and enter the values from your IdP.
{
"issuerUrl": "https://idp.example.com",
"clientId": "0oa1b2c3d4e5f6g7h8i9",
"clientSecret": "your-client-secret",
"scopes": ["openid", "profile", "email"]
}Discovery endpoint
{issuerUrl}/.well-known/openid-configuration to resolve authorization, token, and userinfo endpoints.Configure attribute mapping
Ensure the OIDC token claims include the required user attributes. NodeLoom reads the following claims from the ID token or userinfo endpoint:
| NodeLoom Field | OIDC Claim |
|---|---|
email | email |
firstName | given_name |
lastName | family_name |
Enable SSO
Save the configuration and click Enable SSO. Test the flow in an incognito window before enforcing SSO for all team members.
Domain Verification
Before enforcing SSO, you must verify ownership of the email domain(s) associated with your team. Domain verification prevents unauthorized teams from claiming your domain and ensures that enforcement only applies to legitimate accounts.
NodeLoom supports three verification methods:
DNS TXT Record
Add a TXT record to your domain's DNS zone. This is the recommended method for most organizations.
Record Type: TXT
Host: @
Value: nodeloom-verification={token}DNS CNAME Record
Add a CNAME record if your DNS provider does not support TXT records on the root domain.
Record Type: CNAME
Host: {token}
Value: nodeloom-verify.comHTML Meta Tag
If you cannot modify DNS records, add a meta tag to the homepage of your domain.
<meta name="nodeloom-verification" content="{token}" />Verification required for enforcement
Enforcing SSO
Enforcing SSO means that all team members with an email matching a verified domain must authenticate through the identity provider. Password-based login, magic links, and social logins are blocked for those users.
To enforce SSO, complete the following steps in order:
Enable SSO
Configure and enable either SAML 2.0 or OpenID Connect SSO as described in the setup sections above. Verify that users can successfully log in through SSO.
Verify your domain
Complete domain verification using one of the three methods above. Navigate to Settings → SSO → Domains and confirm that your domain shows a Verified status.
Enforce SSO
Navigate to Settings → SSO → Enforcement and enable enforcement. All team members with email addresses matching the verified domain will be required to authenticate through SSO on their next login.
Team owner bypass
User Provisioning
When a user authenticates through SSO for the first time, NodeLoom automatically provisions a new account for them. This eliminates the need for manual invitations or account creation.
| Setting | Description | Default |
|---|---|---|
| Auto-provisioning | Automatically create a NodeLoom account on first SSO login. | Enabled |
| Default role | The role assigned to newly provisioned users. Configurable in SSO settings. | VIEWER |
| Allowed email domains | Restrict auto-provisioning to specific email domains. Users with non-matching domains are rejected. | All verified domains |
Existing users who already have NodeLoom accounts are linked to the SSO identity automatically when they first log in through SSO, provided their email address matches. Their existing role and settings are preserved.
SCIM for full lifecycle management
Session Management
SSO sessions in NodeLoom are managed separately from IdP sessions. When a user authenticates through SSO, NodeLoom creates a local session that controls access to the application.
| Setting | Description | Default |
|---|---|---|
| Session duration | Maximum lifetime of an SSO session before re-authentication is required. | 8 hours |
| Single logout (SLO) | When enabled, logging out of NodeLoom also sends a logout request to the IdP. Supported for SAML only. | Disabled |
| Active sessions view | Admins can view all active sessions for their team in Settings > SSO > Sessions, including device, IP address, and last activity. | Available |
| Logout all sessions | Immediately invalidate all active sessions for the team. Users will be required to re-authenticate. | Available |
{
"sessionDurationHours": 8,
"singleLogoutEnabled": true,
"idleTimeoutMinutes": 30,
"maxConcurrentSessions": 5
}Attribute Mapping
NodeLoom maps identity provider attributes to user profile fields. The following table shows the default mappings for both SAML and OIDC protocols.
| NodeLoom Field | SAML Attribute (OID) | OIDC Claim | Required |
|---|---|---|---|
email | urn:oid:0.9.2342.19200300.100.1.3 | email | Yes |
firstName | urn:oid:2.5.4.42 | given_name | Yes |
lastName | urn:oid:2.5.4.4 | family_name | Yes |
displayName | urn:oid:2.16.840.1.113730.3.1.241 | name | No |
profileImage | urn:oid:2.16.840.1.113730.3.1.39 | picture | No |
You can override the default mappings with custom attribute names in Settings → SSO → Attribute Mapping. This is useful when your IdP uses non-standard attribute names.
Common IdP Attribute Names
| Field | Okta | Azure AD | Google Workspace |
|---|---|---|---|
email | user.email | user.mail | email |
firstName | user.firstName | user.givenname | given_name |
lastName | user.lastName | user.surname | family_name |
API Endpoints
The following endpoints are available for managing SSO programmatically. Admin-authenticated endpoints require the Admin role. Public endpoints are used during the SSO authentication flow.
Admin Endpoints
/api/sso/team/{teamId}/configRetrieve the current SSO configuration for a team, including protocol type, enabled status, and enforcement state.
/api/sso/team/{teamId}/samlCreate or update the SAML 2.0 configuration. Accepts entity ID, SSO URL, certificate, and attribute mappings.
/api/sso/team/{teamId}/oidcCreate or update the OpenID Connect configuration. Accepts issuer URL, client ID, client secret, and scopes.
/api/sso/team/{teamId}/enableEnable SSO for the team. Requires a valid SAML or OIDC configuration to be saved first.
/api/sso/team/{teamId}/enforceEnforce SSO for all team members with a verified domain. Blocks password and social login for matching users.
Public Endpoints
These endpoints are used during the SSO authentication flow and do not require authentication.
/api/sso/saml/{teamId}/loginInitiate the SAML login flow. Redirects the user to the IdP login page.
/api/sso/saml/{teamId}/acsAssertion Consumer Service endpoint. Receives the SAML response from the IdP and creates a session.
/api/sso/oidc/{teamId}/authorizeInitiate the OIDC authorization code flow. Redirects the user to the IdP authorization endpoint.
/api/sso/oidc/{teamId}/callbackOIDC callback endpoint. Exchanges the authorization code for tokens and creates a session.
/api/sso/check?email=Check if an email address is associated with an SSO-enabled team. Returns the SSO login URL if applicable.