Skip to content
varsafe
Esc
navigateopen⌘Jpreview
On this page

Single Sign-On (SSO)

Configure SAML 2.0 or OIDC so your team members sign in through your identity provider.

Prerequisites

  • Team plan — SSO is a Team plan feature
  • Owner or Admin role — only owners and admins can configure SSO
  • A configured identity provider (Okta, Azure AD, Google Workspace, OneLogin, etc.)

SAML 2.0 Setup

1. Get your SP metadata

In the dashboard, go to Teams → your team → SSO. Click Configure SSO and select SAML 2.0. The SP metadata section shows:

Field Value
Entity ID https://varsafe.dev/api/auth/sso/sp/{providerId}
ACS URL https://varsafe.dev/api/auth/sso/callback/{providerId}

Copy these values into your identity provider’s SAML app configuration.

2. Configure your IdP

In your identity provider, create a new SAML application and paste the Entity ID and ACS URL from above. Then collect:

  • Entry Point URL — Your IdP’s SSO login URL
  • Certificate — The IdP’s signing certificate in PEM format
  • Issuer (optional) — The IdP’s entity ID, if different from entry point

3. Enter IdP details in varsafe

Back in the dashboard SSO settings, fill in:

  1. Entry Point URL — Paste the IdP SSO URL
  2. Certificate — Paste the full PEM certificate (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
  3. Issuer — Optional. Enter if your IdP requires it

Click Save to create the SSO configuration.

4. Set your email domain

Enter the email domain your team uses (e.g., acme.com). varsafe uses this domain to route login requests to your IdP.


OIDC Setup

1. Create an OIDC application in your IdP

Register a new application with your identity provider. Set the redirect URI to:

https://varsafe.dev/api/auth/sso/callback/{providerId}

2. Collect credentials

From your IdP, collect:

  • Discovery URL — The OpenID Connect discovery endpoint (e.g., https://accounts.google.com/.well-known/openid-configuration)
  • Client ID — The application client ID
  • Client Secret — The application client secret

3. Configure in varsafe

In the dashboard, go to Teams → your team → SSO. Click Configure SSO and select OIDC.

  1. Discovery URL — Paste the discovery endpoint
  2. Client ID — Paste the client ID
  3. Client Secret — Paste the client secret

Click Save.

4. Set your email domain

Enter the email domain for SSO routing, then have it verified — same as SAML setup above.


How SSO Login Works

Once SSO is enabled and your domain is verified:

  1. User enters their email on the varsafe login page
  2. varsafe checks the email domain against configured SSO providers
  3. If a match is found, the user is redirected to the IdP login page
  4. After IdP authentication, the user is redirected back to varsafe
  5. A varsafe session is created automatically

Users with SSO-enabled domains are routed to SSO automatically — no separate login URL needed.


Managing SSO

Enable / Disable

Toggle SSO on or off from Teams → your team → SSO. Disabling SSO does not delete the configuration — team members fall back to email/password or OAuth login.

Update Configuration

Click Edit in the SSO settings panel to update IdP details (certificate rotation, new endpoints, etc.).

Delete SSO

Click Delete to permanently remove the SSO configuration. Team members will need to use another login method.


Troubleshooting

Clock skew errors

SAML assertions have a time window. varsafe allows up to 5 minutes of clock skew. If your IdP’s server clock is further off, sync it with NTP.

Certificate format

The certificate must be in PEM format. If you have a .cer or .der file, convert it:

openssl x509 -inform DER -in cert.cer -out cert.pem

Paste the full PEM including the BEGIN and END lines.

Domain mismatch

SSO routing matches the email domain exactly. If your team uses multiple domains (e.g., acme.com and acme.io), configure each domain in the SSO settings.

User not redirected to IdP

  • Check that the domain has been verified — routing stays inactive until varsafe verifies domain ownership (see Set your email domain)
  • Confirm the user’s email matches the configured domain exactly
  • Check that SSO is enabled (not just configured)

SAML assertion failures

  • Verify the ACS URL in your IdP matches varsafe’s ACS URL exactly
  • Check that the Entity ID matches
  • Ensure the certificate hasn’t expired

OIDC errors

  • Verify the discovery URL is accessible and returns valid JSON
  • Confirm the redirect URI in your IdP matches varsafe’s callback URL
  • Check that the client secret is correct