---
title: External Authentication
description: Configure single sign-on (SSO) in Infoveave using OIDC or SAML 2.0 identity providers. Disable password login and centralize authentication through your corporate IDP.
---

import { Aside, Steps } from "@astrojs/starlight/components";

# External Authentication

Infoveave supports single sign-on (SSO) using third-party identity providers (IDPs) via **OIDC** (OpenID Connect) and **SAML 2.0**. You can optionally disable password-based login entirely and require all users to authenticate through your corporate IDP.

<Aside type="caution">
  Users and roles are still managed within Infoveave. The IDP is used only for
  authentication — not for provisioning or role assignment.
</Aside>

## Supported Protocols

| Protocol | Description |
|----------|-------------|
| **OIDC** (OpenID Connect) | OAuth 2.0-based authentication. Supported by Microsoft Entra ID (Azure AD), Okta, Google Workspace, Auth0, and most modern IDPs. |
| **SAML 2.0** | XML-based federation protocol. Supported by Microsoft Entra ID, Okta, OneLogin, ADFS, and enterprise IDPs. |

## Prerequisites

Before configuring external authentication:

- You must be an Infoveave Administrator
- Your IDP must support OIDC or SAML 2.0
- The Infoveave callback/redirect URL must be registered with your IDP (provided during configuration)
- All users who will use SSO must already exist in Infoveave (create them first via [Users](/administration/users/))

## Configure OIDC Authentication

<Steps>

1. Navigate to **Administration → External Authentication**

2. Select **OIDC** as the authentication type

3. Enter your IDP details:
   - **Client ID** — from your IDP application registration
   - **Client Secret** — from your IDP application registration
   - **Discovery URL / Well-Known URL** — the OIDC metadata endpoint (e.g. `https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration`)

4. Copy the **Redirect URI** shown in Infoveave and register it with your IDP

5. (Optional) Enable **Disable Password Login** to enforce SSO-only access

6. Click **Save** to activate the configuration

7. Test the login by signing out and using the SSO login option

</Steps>

## Configure SAML 2.0 Authentication

<Steps>

1. Navigate to **Administration → External Authentication**

2. Select **SAML** as the authentication type

3. Download or note the **Infoveave Service Provider (SP) metadata** — you will need to register this with your IDP

4. In your IDP, create a new SAML application and upload/enter the SP metadata

5. Enter your IDP details in Infoveave:
   - **IDP Metadata URL** or upload the IDP metadata XML file
   - **Entity ID**
   - **SSO URL** (the IDP's SAML endpoint)

6. Map the IDP user attribute that contains the email address to the Infoveave email field

7. Click **Save** to activate the configuration

8. Test the login by signing out and using the SSO login option

</Steps>

## Identity Provider Guides

### Microsoft Entra ID (Azure AD)

Infoveave has a dedicated guide for Microsoft Entra ID. See [Microsoft Entra](/administration/external-authentication/microsoft-entra/) for step-by-step instructions including app registration, redirect URI configuration, and attribute mapping.

### Okta

To configure Okta as your IDP with Infoveave:

<Steps>

1. In the Okta Admin Console, go to **Applications → Create App Integration**

2. Select **OIDC – OpenID Connect** and **Web Application**, then click **Next**

3. Set the **Sign-in redirect URI** to the Redirect URI shown in Infoveave's External Authentication settings

4. Note your **Client ID** and **Client Secret** from the Okta app's General tab

5. Find your **Okta domain** (e.g. `https://yourorg.okta.com`) — this is your Discovery URL base: `https://yourorg.okta.com/.well-known/openid-configuration`

6. In Infoveave, select **OIDC**, paste in your Client ID, Client Secret, and Discovery URL, then save

7. Assign the Okta application to the users or groups who need access

</Steps>

## Disabling Password Login

Once SSO is working correctly, you can disable password-based login to enforce SSO for all users:

1. Go to **Administration → External Authentication**
2. Enable the **Disable Password Login** toggle
3. Click **Save**

<Aside type="caution">
  Ensure at least one administrator can successfully authenticate via SSO before
  disabling password login. If SSO stops working, you may be locked out of the
  system.
</Aside>

## Troubleshooting

| Issue | Likely cause | Resolution |
|-------|-------------|------------|
| SSO login redirects back to login page | Redirect URI mismatch | Verify the redirect URI registered in your IDP exactly matches the one shown in Infoveave |
| "User not found" after IDP authentication | User does not exist in Infoveave | Create the user in Infoveave Administration before they attempt SSO login |
| SAML assertion errors | Attribute mapping issue | Check that the email attribute in the IDP assertion matches the field configured in Infoveave |
| Certificate errors (SAML) | Expired or mismatched certificate | Refresh the IDP metadata or re-upload the IDP certificate |