| title | SSO (SAML / OIDC) |
|---|---|
| icon | Shield |
| description | Configure Single Sign-On for your organization using SAML 2.0 or OpenID Connect. Scale plan only. |
Single Sign-On (SSO) lets your team authenticate to PgBeam using your existing identity provider — Okta, Azure AD, Google Workspace, or any SAML 2.0 / OIDC provider. Team members sign in with their corporate credentials instead of managing separate PgBeam passwords.
SSO requires the **Scale plan**. See [Plans & Pricing](/docs/plans) for details.| Protocol | Use case |
|---|---|
| SAML 2.0 | Enterprise IdPs (Okta, Azure AD, OneLogin) |
| OpenID Connect | Modern IdPs and custom OAuth2 providers |
Choose whichever protocol your identity provider supports. If your IdP supports both, OIDC is generally simpler to configure.
### Create a SAML application in your IdPIn your identity provider (Okta, Azure AD, Google Workspace, OneLogin, etc.),
create a new SAML 2.0 application. Most providers have a "custom SAML app"
option.
Go to **Settings > Security > Configure SSO** in the PgBeam dashboard. You will
see two values to copy into your IdP:
| Field | Description |
| ---------------------------------------- | ----------------------------------- |
| **ACS URL** (Assertion Consumer Service) | Where your IdP sends SAML responses |
| **Entity ID** (SP Entity ID) | PgBeam's SAML identifier |
Map the following SAML attributes in your IdP. PgBeam uses these to identify
users:
| SAML attribute | Required | Maps to |
| ------------------- | -------- | ------------ |
| `email` or `NameID` | Yes | User email |
| `firstName` | No | Display name |
| `lastName` | No | Display name |
Copy your IdP's **metadata URL** into PgBeam's SSO configuration page and
save. PgBeam fetches the IdP certificate, SSO URL, and entity ID from this
URL automatically.
If your IdP does not provide a metadata URL, you can paste the metadata XML
directly.
Click **Test** in the PgBeam dashboard to verify the SAML flow. This opens a
new window that walks through the full sign-in process. If the test succeeds,
you will see a confirmation with the authenticated user's details.
In your identity provider, create a new OpenID Connect (OIDC) application.
Choose "Web Application" as the application type.
Set the **redirect URI** to the value shown in PgBeam's SSO configuration page
(under **Settings > Security > Configure SSO**).
Copy the following from your IdP into PgBeam:
| Field | Where to find it |
| ----------------- | --------------------------------------------------------------- |
| **Client ID** | Application settings in your IdP |
| **Client secret** | Application settings in your IdP |
| **Discovery URL** | Usually `https://your-idp.com/.well-known/openid-configuration` |
PgBeam uses the discovery URL to automatically fetch authorization endpoints,
token endpoints, and signing keys.
Click **Test** in the PgBeam dashboard to verify the OIDC flow. This redirects
to your IdP for authentication and confirms the user details returned.
SSO works with any SAML 2.0 or OIDC-compliant identity provider. Commonly used providers include:
| Provider | SAML | OIDC | Notes |
|---|---|---|---|
| Okta | Yes | Yes | Both protocols fully supported |
| Azure AD / Entra ID | Yes | Yes | Use "Enterprise Application" for SAML |
| Google Workspace | Yes | Yes | SAML via Admin Console |
| OneLogin | Yes | Yes | Both protocols fully supported |
| Auth0 | Yes | Yes | Use "Regular Web Application" |
| JumpCloud | Yes | Yes | Both protocols fully supported |
When a user authenticates via SSO for the first time, PgBeam automatically creates an account for them in your organization with the Member role. This means you do not need to invite users individually — anyone who can authenticate through your IdP is automatically provisioned.
Admins and Owners can change a user's role after they have been provisioned.
Once SSO is configured and tested, you can enforce it for your organization. Enforcement means:
- All organization members must authenticate via SSO
- Password-based login is disabled for the organization
- Existing sessions are invalidated when enforcement is enabled
- New invitations require the recipient to sign in via SSO
Go to Settings > Security in the dashboard. After configuring SSO, toggle Require SSO for all members. Confirm the action — all non-owner members will be signed out immediately.
| Problem | Likely cause | Fix |
|---|---|---|
| "Invalid ACS URL" error | ACS URL mismatch between IdP and PgBeam | Copy the exact ACS URL from PgBeam |
| "Audience mismatch" error | Entity ID mismatch | Verify SP Entity ID matches in both systems |
| User lands on error page | Attribute mapping missing email |
Ensure email or NameID is mapped |
| Certificate validation failed | IdP certificate rotated | Re-import the metadata URL in PgBeam |
| Problem | Likely cause | Fix |
|---|---|---|
| "Invalid redirect URI" | Redirect URI mismatch | Copy the exact redirect URI from PgBeam |
| "Invalid client" error | Wrong client ID or secret | Re-copy credentials from your IdP |
| Discovery URL fails | URL is incorrect or not publicly reachable | Verify the URL returns JSON in a browser |
| Problem | Likely cause | Fix |
|---|---|---|
| Users can still use passwords | SSO enforcement not enabled | Toggle "Require SSO" in Security settings |
| New user gets wrong role | Default JIT role is Member | Change role after provisioning |
| IdP is down and nobody can log in | SSO enforcement is enabled | Owner can log in with email/password and disable enforcement |
- Organizations — Roles, team seats, and member management
- Plans & Limits — SSO is available on the Scale plan
- API Keys — Programmatic access that does not require SSO