SSO (OIDC + SAML)

Pro plans support OIDC and SAML 2.0 with full per-org claim mapping. New users land in your tenant at the right role automatically.

Setup

Configure OIDC discovery URL or SAML metadata XML at Settings → SSO. Claim mapping points our canonical fields (email / name / picture) at whatever path your IDP uses. Role mapping turns your IDP's group claim into an Aayu role per JIT provisioning rule.

Lint your config before saving

Both mappings have JSON Schema endpoints (/api/schemas/claim-mapping, /api/schemas/role-mapping) — point ajv or your IDE at them and lint your config locally before pasting into Aayu.

Sample for Microsoft Entra ID

Worked example pre-filled in the SSO settings page; toggle updateOnLogin: true if your group memberships change frequently and you want every login to re-evaluate the role.