SSO Overview

OIDC/OAuth2 and SAML IdP are both supported.

OIDC / OAuth2

• Create clients under /admin/oauth/clients.
• Authorization endpoint: /oauth/authorize
• Token endpoint: /oauth/token
• Userinfo: /oauth/userinfo
• Request orgs scope to receive org memberships and roles.
• Request apps scope to receive app roles and permissions.

Example org claim:

{
  "orgs": [
    {
      "org_id": "uuid",
      "org_slug": "acme",
      "org_name": "Acme Corp",
      "org_type": "client",
      "role": "member",
      "is_admin": false
    }
  ]
    }

Example apps claim:

{
  "apps": [
    {
      "app_id": "uuid",
      "app_slug": "support-portal",
      "app_name": "Support Portal",
      "client_id": "oauth-client-id",
      "roles": ["agent"],
      "permissions": ["tickets.read"]
    }
  ]
}

SAML

• IdP metadata: /saml/metadata
• SSO endpoints: /saml/sso (POST/Redirect)
• Configure SPs in /admin/saml/ with certs and ACS URLs.