SSO Setup

Rivano supports SAML 2.0 single sign-on (SSO) for organizations that need centralized identity management. Once configured, team members authenticate through your identity provider (IdP) and are automatically provisioned in Rivano.

Supported Providers

ProviderProtocolStatus
OktaSAML 2.0Supported
Azure AD (Entra ID)SAML 2.0Supported
Google WorkspaceSAML 2.0Supported
OneLoginSAML 2.0Supported
Custom SAML IdPSAML 2.0Supported

SAML Configuration

To set up SAML SSO, you’ll need to configure both your identity provider and Rivano. Start by navigating to Settings → Authentication → SAML SSO in the Rivano dashboard.

Rivano Service Provider Details

Provide these values to your identity provider:

FieldValue
ACS URL (Reply URL)https://app.rivano.ai/auth/saml/callback
Entity ID (Audience URI)https://app.rivano.ai/saml/metadata
Name ID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Sign-on URLhttps://app.rivano.ai/auth/saml/login

For self-hosted instances, replace app.rivano.ai with your deployment’s domain.

Identity Provider Details

After configuring your IdP, enter these values in Rivano:

FieldDescription
IdP SSO URLThe sign-on URL provided by your IdP
IdP Entity IDThe issuer/entity ID from your IdP
IdP CertificateThe X.509 signing certificate (PEM format)

Provider-Specific Guides

Okta

  1. In Okta Admin, go to Applications → Create App Integration
  2. Select SAML 2.0
  3. Enter the ACS URL and Entity ID from the table above
  4. Set Name ID format to EmailAddress
  5. Add attribute statements:
    • emailuser.email
    • firstNameuser.firstName
    • lastNameuser.lastName
  6. Copy the IdP SSO URL, Entity ID, and download the certificate
  7. Paste them into Rivano’s SAML settings

Azure AD (Entra ID)

  1. In Azure Portal, go to Enterprise Applications → New Application
  2. Select Create your own applicationNon-gallery
  3. Under Single sign-on → SAML, click Edit Basic SAML Configuration
  4. Set:
    • Identifier (Entity ID): https://app.rivano.ai/saml/metadata
    • Reply URL (ACS): https://app.rivano.ai/auth/saml/callback
  5. Under Attributes & Claims, ensure emailaddress is mapped
  6. Download Certificate (Base64) and copy the Login URL
  7. Enter these in Rivano’s SAML settings

Google Workspace

  1. In Google Admin Console, go to Apps → Web and mobile apps → Add App → Add custom SAML app
  2. Copy the SSO URL and download the Certificate
  3. Enter the ACS URL and Entity ID from Rivano
  4. Map attributes: email → Primary Email
  5. Enable the app for your organizational unit
  6. Paste the SSO URL and certificate into Rivano

Role Mapping

Rivano maps IdP groups to Rivano roles. Configure group-to-role mappings in Settings → Authentication → Role Mapping.

Rivano RolePermissionsSuggested IdP Group
ownerFull access, billing, delete orgrivano-owners
adminManage agents, policies, usersrivano-admins
memberView dashboards, create agentsrivano-members
viewerRead-only dashboard accessrivano-viewers

Attribute Mapping

Your IdP should send a groups or role attribute in the SAML assertion. Configure the attribute name in Rivano:

Attribute name: groups
Mapping:
  rivano-admins → admin
  rivano-members → member
  rivano-viewers → viewer

Users without a matching group are assigned the member role by default. You can change the default role in Settings.

Just-in-Time Provisioning

When JIT provisioning is enabled (default), users are automatically created in Rivano on their first SAML login. Their profile (name, email) and role are set from the SAML assertion attributes.

To disable JIT provisioning and require manual user creation, toggle Settings → Authentication → Auto-provision users off.

Enforcing SSO

Once SSO is configured and tested:

  1. Go to Settings → Authentication → Enforcement
  2. Enable Require SSO for all users
  3. Optionally, set a grace period (e.g., 7 days) for existing password users to transition

After enforcement, password login is disabled and all authentication goes through your IdP. Organization owners retain emergency password access.

Troubleshooting

IssueSolution
”Invalid SAML response”Check that the ACS URL matches exactly (trailing slash matters)
User created with wrong roleVerify the groups attribute is included in the SAML assertion
Certificate errorEnsure the certificate is in PEM format and hasn’t expired
Login loopConfirm the Entity ID matches between IdP and Rivano settings
Users can’t access after enforcementCheck the grace period hasn’t expired; owners can temporarily disable enforcement