SAML & OIDC Single Sign-On¶
VaultStream supports enterprise single sign-on via SAML 2.0 and OpenID Connect.
Supported Identity Providers¶
- Microsoft Entra ID (Azure AD)
- Okta
- Google Workspace
- Ping Identity
- OneLogin
- Any SAML 2.0 or OIDC-compliant IdP
Configuration¶
SAML 2.0¶
- In the Partner Portal, navigate to Settings → SSO → SAML
- Provide your IdP metadata URL or upload the metadata XML
- Configure attribute mapping:
email→NameIDorurn:oid:0.9.2342.19200300.100.1.3name→urn:oid:2.5.4.42groups→urn:oid:1.3.6.1.4.1.5923.1.1.1.1(optional)- Download the CYFR SP metadata and register it with your IdP
- Enable SAML for your account
OpenID Connect¶
- Navigate to Settings → SSO → OIDC
- Provide your issuer URL, client ID, and client secret
- Configure scopes:
openid,profile,email(required),groups(optional) - Enable OIDC for your account
Just-in-Time Provisioning¶
Users who authenticate via SSO for the first time are automatically provisioned with the default viewer role. Role assignment can be configured via SAML attribute or OIDC claim mapping.
Session Duration¶
SSO sessions are valid for 8 hours by default. Configure in Settings → Security → Session Timeout.