← Back to Docs

Enterprise SSO Setup

Guides

Enterprise SSO Setup

Priiism supports enterprise single sign-on (SSO) at the organization level. Connect your company’s identity provider — Okta, Microsoft Active Directory, Google Workspace, or any SAML 2.0 / OIDC provider — so team members sign in with their existing corporate credentials.

Overview

Enterprise SSO in Priiism uses organization-level identity configuration. When SSO is enabled:

  • Team members sign in with their corporate credentials (no separate Priiism password)
  • New users are auto-provisioned on first login (JIT provisioning)
  • IdP group memberships map to Priiism org roles automatically
  • Home Realm Discovery routes users to the correct IdP based on their email domain

Supported Protocols

ProtocolProviders
SAML 2.0Okta, Microsoft ADFS, OneLogin, PingFederate, generic SAML
OIDCAzure AD (Entra ID), Google Workspace, generic OIDC

Prerequisites

  • A Priiism organization (Pro or Enterprise plan)
  • Owner or Admin role in the organization
  • Admin access to your identity provider (Okta, Azure AD, etc.)
  • A domain you control for DNS verification

Step 1: Verify Your Domain

Domain verification proves you own the email domain used by your team. This is required before setting up SSO.

  1. Go to Org Settings (click your org name in the sidebar, then Settings)

  2. Navigate to the Identity tab

  3. Under Verified Domains, click Add Domain

  4. Enter your domain (e.g., yourcompany.com)

  5. Priiism generates a DNS TXT record:

    Host: _viiibin-verify
Value: viiibin-verify-{token}

  6. Add this TXT record in your DNS provider (e.g., Route 53, GoDaddy, Namecheap)

  7. Click Verify — DNS propagation can take up to 48 hours, but usually completes within minutes

  8. Once verified, the domain shows a green checkmark

You can verify multiple domains if your organization uses more than one email domain.

Step 2: Set Up Okta SSO (SAML 2.0)

In Okta

  1. Log in to your Okta admin console
  2. Go to Applications > Create App Integration
  3. Select SAML 2.0 and click Next
  4. Configure the SAML integration:
    • Single sign-on URL: https://auth.priiism.ai/login/callback?connection={connection-name} (Priiism provides this after you create the connection)
    • Audience URI (SP Entity ID): urn:auth0:priiism:{connection-name}
    • Name ID format: EmailAddress
    • Application username: Email
  5. Under Attribute Statements, add:
    • email -> user.email
    • name -> user.firstName + " " + user.lastName
  6. Under Group Attribute Statements, add:
    • Name: groups | Filter: Matches regex .*
  7. Click Finish and note the IdP Metadata URL (under Sign On tab > SAML Signing Certificates > Actions > View IdP metadata)
  8. Assign users or groups to the application

In Priiism

  1. Go to Org Settings > Identity
  2. Under SSO Connections, click Add Connection
  3. Select SAML 2.0
  4. Enter a connection name (e.g., okta-yourcompany)
  5. Paste the IdP Metadata URL from Okta
  6. Click Create — Priiism fetches the metadata and configures the connection
  7. Toggle the connection to Enabled

Configure Role Mappings

After creating the connection, set up role mappings to automatically assign org roles based on Okta group membership:

  1. Under the connection settings, click Role Mappings

  2. Add mappings:

    IdP GroupPriiism Org Role
    AdminsOwner
    EngineeringAdmin
    ProductMember
    StakeholdersViewer

  3. Users who don’t match any mapping get the default role (Member)

Step 3: Set Up Microsoft AD SSO (OIDC)

In Azure AD (Entra ID)

  1. Log in to the Azure Portal
  2. Go to Microsoft Entra ID > App registrations > New registration
  3. Configure:
    • Name: Priiism SSO
    • Supported account types: Accounts in this organizational directory only
    • Redirect URI: https://auth.priiism.ai/login/callback (Web)
  4. After registration, note the Application (client) ID and Directory (tenant) ID
  5. Go to Certificates & secrets > New client secret — note the secret value
  6. Go to Token configuration > Add optional claim > Token type: ID > Add email, given_name, family_name
  7. Go to API permissions > Add User.Read and GroupMember.Read.All (if using group-based role mappings)
  8. Grant admin consent for the permissions

In Priiism

  1. Go to Org Settings > Identity
  2. Under SSO Connections, click Add Connection
  3. Select OIDC
  4. Fill in:
    • Connection name: azure-ad-yourcompany
    • Tenant ID: Your Azure AD tenant ID
    • Client ID: The application (client) ID from Azure
    • Client Secret: The client secret value
  5. Click Create
  6. Toggle the connection to Enabled

Configure Role Mappings

Set up role mappings from Azure AD groups:

  1. Under the connection settings, click Role Mappings

  2. Add mappings using Azure AD group Object IDs or display names:

    Azure AD GroupPriiism Org Role
    IT-AdminsOwner
    DevelopersAdmin
    All-StaffMember

Home Realm Discovery

Once SSO is configured and your domain is verified, Home Realm Discovery (HRD) automatically routes users to the correct identity provider based on their email domain.

How it works:

  1. A user visits the Priiism login page and enters their email
  2. Priiism checks the email domain against verified domains
  3. If the domain matches an organization with SSO enabled, the user is redirected to their IdP
  4. If no match, the user continues with standard email/password login

This means your team members never need to remember which login method to use — they just enter their email and are automatically sent to Okta, Azure AD, or whichever IdP your organization uses.

Google Workspace SSO

For organizations using Google Workspace:

  1. Verify your Google Workspace domain in Priiism
  2. Create an OIDC connection using your Google Workspace credentials
  3. Users with @yourcompany.com emails will be routed to Google for authentication

Google Workspace SSO uses OAuth 2.0/OIDC, so no SAML configuration is needed.

Troubleshooting

Users can’t log in via SSO

  • Verify the connection is Enabled in Org Settings > Identity
  • Check that users are assigned to the application in your IdP (Okta/Azure AD)
  • Confirm the domain is verified (green checkmark in Org Settings > Identity)

Role mappings not working

  • Ensure group claims are being sent by your IdP (check the Group Attribute Statement in Okta or Token Configuration in Azure AD)
  • Group names are case-sensitive — Admins is different from admins
  • Users must log out and log back in for role mapping changes to take effect

DNS verification stuck

  • TXT records can take up to 48 hours to propagate
  • Verify the record is set on the correct domain (not a subdomain)
  • Use dig TXT _viiibin-verify.yourcompany.com to check propagation

Next Steps