Skip to content

SAML & OIDC Single Sign-On

VaultStream supports enterprise single sign-on via SAML 2.0 and OpenID Connect.

Supported Identity Providers

  • Microsoft Entra ID (Azure AD)
  • Okta
  • Google Workspace
  • Ping Identity
  • OneLogin
  • Any SAML 2.0 or OIDC-compliant IdP

Configuration

SAML 2.0

  1. In the Partner Portal, navigate to Settings → SSO → SAML
  2. Provide your IdP metadata URL or upload the metadata XML
  3. Configure attribute mapping:
  4. emailNameID or urn:oid:0.9.2342.19200300.100.1.3
  5. nameurn:oid:2.5.4.42
  6. groupsurn:oid:1.3.6.1.4.1.5923.1.1.1.1 (optional)
  7. Download the CYFR SP metadata and register it with your IdP
  8. Enable SAML for your account

OpenID Connect

  1. Navigate to Settings → SSO → OIDC
  2. Provide your issuer URL, client ID, and client secret
  3. Configure scopes: openid, profile, email (required), groups (optional)
  4. Enable OIDC for your account

Just-in-Time Provisioning

Users who authenticate via SSO for the first time are automatically provisioned with the default viewer role. Role assignment can be configured via SAML attribute or OIDC claim mapping.

Session Duration

SSO sessions are valid for 8 hours by default. Configure in Settings → Security → Session Timeout.