Single Sign-On
Configure SAML 2.0 or OIDC so your team logs in with company credentials. Works with any standards-compliant identity provider.
Supported protocols
ARQERA supports SAML 2.0 and OpenID Connect (OIDC). Choose the protocol your identity provider recommends. Both provide the same security guarantees.
SAML 2.0
Industry-standard XML-based protocol. Works with Okta, Microsoft Entra ID, OneLogin, JumpCloud, and most enterprise identity providers.
OpenID Connect (OIDC)
Modern OAuth 2.0-based protocol. Preferred for cloud-native IdPs. Supports Google Workspace, Azure AD, and custom OIDC providers.
SCIM Provisioning
Automate user and group provisioning from your IdP. Lifecycle management: create, update, and deactivate users automatically.
Supported identity providers
| Provider | Protocol | Notes |
|---|---|---|
| Okta | SAML + OIDC | Full attribute mapping supported |
| Microsoft Entra ID | SAML + OIDC | Group sync via SCIM |
| OneLogin | SAML | Custom attribute mapping |
| JumpCloud | SAML + OIDC | Group-based provisioning |
| Google Workspace | OIDC + SAML | Domain-wide deployment |
| Ping Identity | SAML | Enterprise federation |
Any SAML 2.0 or OIDC-compliant provider will work. Contact support if you need help with a specific provider.
SAML 2.0 setup
Follow these steps to configure SAML SSO. The process takes about 15 minutes. Have your IdP admin console open alongside ARQERA.
Create an application in your IdP
In your identity provider admin console, create a new SAML application. Select "SAML 2.0" as the protocol. Use "ARQERA" as the application name.
Copy your ARQERA SP metadata
In ARQERA, go to System → SSO. Copy the Service Provider (SP) Entity ID and ACS URL. Paste these into your IdP application configuration.
Configure attribute mapping
Map your IdP user attributes to ARQERA fields. At minimum, map the email attribute. Name attributes improve the user experience.
Download IdP metadata
From your IdP application, download the SAML metadata XML or note the Entity ID, SSO URL, and X.509 certificate. You will enter these in ARQERA.
Configure ARQERA with IdP details
In ARQERA System → SSO, enter the Entity ID, SSO URL, and certificate from your IdP. Save the configuration.
Test before enforcing
Use the "Test SSO" button to verify the flow works. Keep a backup admin account active until you are confident SSO is working correctly.
Field reference
These are the values you copy from your identity provider into ARQERA's SSO configuration. Each field is explained below.
Entity ID
The unique identifier for your identity provider. This is sometimes called the Issuer URL or IdP Entity ID. It identifies your IdP in SAML assertions.
- Find this in your IdP application settings under "Identity Provider Issuer" or "Entity ID"
- Must match exactly what your IdP sends in SAML assertions — no trailing slash differences
- Usually a URL but can be any URI string
SSO URL
The URL where ARQERA sends authentication requests. Also called the Single Sign-On Service URL, SSO Target URL, or Login URL depending on your IdP.
- Found in your IdP under "Single Sign-On URL" or "SAML Endpoint"
- This is the endpoint your IdP exposes for receiving SAML AuthnRequests
- Must be HTTPS
X.509 Certificate
The public certificate from your identity provider. ARQERA uses this to verify that SAML responses were genuinely signed by your IdP and have not been tampered with.
- Paste the full certificate including the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----lines - Download from your IdP under "Signing Certificate" or "X.509 Certificate"
- When your IdP rotates its certificate, update this field — logins will fail if the certificate is expired or mismatched
Attribute Mapping
Maps user attributes from your IdP's SAML assertions to ARQERA user fields. ARQERA needs to know which IdP attribute carries the user's email, name, and other profile data.
| ARQERA field | Required | Common IdP attribute names |
|---|---|---|
| Required | email, mail, emailAddress, user.email | |
| first_name | Optional | firstName, givenName, user.firstName |
| last_name | Optional | lastName, sn, user.lastName |
| groups | Optional | groups, memberOf, user.groups |
- Email is the only required attribute — ARQERA uses it as the unique user identifier
- If first/last name are not mapped, users will see their email address as their display name
- Group mapping enables automatic role assignment based on IdP group membership
Troubleshooting
Login fails with "Invalid signature"
Cause: Certificate mismatch between IdP and ARQERA configuration.
Fix: Re-download the certificate from your IdP and update it in System → SSO. Check for trailing whitespace or missing newlines.
"Audience restricted" or "Audience mismatch" error
Cause: The SP Entity ID in your IdP does not match the Entity ID ARQERA expects.
Fix: Copy the exact SP Entity ID from System → SSO and paste it into your IdP application configuration.
Users created with wrong name or email
Cause: Attribute mapping is incorrect.
Fix: Check the attribute names your IdP sends in SAML assertions (use a SAML browser extension to inspect). Update the mapping in System → SSO.
"No account found" after successful IdP login
Cause: Just-in-time provisioning is off, or the email sent by the IdP does not match an existing ARQERA account.
Fix: Enable JIT provisioning in System → SSO, or invite the user manually first.
Security recommendations
Test before enforcing
Use the "Test SSO" button to verify the flow works end-to-end before enabling SSO enforcement. Always keep a backup admin account.
Rotate certificates proactively
Set a calendar reminder before your IdP certificate expires. Certificate expiry locks all SSO users out immediately.
Enable SCIM for lifecycle management
Pair SSO with SCIM provisioning so deactivated IdP accounts are automatically disabled in ARQERA.
Sign authentication requests
Enable signed AuthnRequests in ARQERA and configure your IdP to require them. This prevents replay attacks.
Ready to configure SSO?
SSO is available on Business and Enterprise plans. Set it up in minutes from System settings.