← Back to Docs

Identity & SSO

Organization

Identity & SSO

Connect your organization’s identity provider for single sign-on. Team members can log in with their corporate credentials instead of creating separate accounts.

The Identity & SSO page has three sections: Verified Domains, Enterprise Connections, and Role Mappings.

Verified Domains

Verify ownership of your email domain to enable SSO features like Home Realm Discovery (automatically routing users to your IdP based on their email).

Adding a Domain

  1. Enter your domain (e.g., yourcompany.com)
  2. Click Add Domain
  3. You’ll receive a verification token — a DNS TXT record to add: 
    Type:  TXT
Name:  _priiism-verify
Value: viiibin-verify-{your-token}
  4. Add this record in your DNS provider (e.g., Route 53, GoDaddy, Namecheap)
  5. Click Verify — DNS propagation can take up to 48 hours but usually completes within minutes
  6. Once verified, the domain shows a green checkmark

What Verified Domains Enable

  • Home Realm Discovery — Users with your domain email are automatically routed to your IdP at login
  • JIT Provisioning — New users from your domain are auto-provisioned on first login
  • Domain trust — Proves you own the domain for security compliance

Enterprise Connections

Connect your identity provider so team members can log in with their existing corporate credentials.

Supported Protocols

ProtocolUse Case
SAML 2.0Okta, OneLogin, PingFederate, generic SAML
OIDCAzure AD, custom OIDC providers
Azure ADMicrosoft Entra ID (formerly Azure Active Directory)
Google WorkspaceGoogle corporate accounts
OktaOkta Workforce Identity

Creating a Connection

  1. Click Add Connection
  2. Enter a name (e.g., “Okta Production”)
  3. Select the protocol (SAML, OIDC, Azure AD, Google Workspace, Okta)
  4. Optionally add a display name (shown on the login page)
  5. Click Create

After creation, you’ll need to configure the connection in your IdP. The exact steps depend on your provider — see the Enterprise SSO Setup Guide for Okta and Azure AD walkthroughs.

Enabling / Disabling

Toggle connections on or off without deleting them. Disabled connections won’t appear on the login page.

Role Mappings

Map groups from your identity provider to Priiism organization roles. When a user logs in via SSO, their IdP group memberships automatically determine their org role.

How It Works

  1. User logs in via your enterprise connection
  2. The IdP sends group claims (e.g., SAML attribute groups: ["engineering", "admins"])
  3. Priiism checks your role mappings
  4. The user gets the highest matching role

Creating a Mapping

  1. Select the Connection (which IdP this mapping applies to)
  2. Enter the IdP Group name (must match exactly what your IdP sends — e.g., admins, engineering)
  3. Select the Org Role to assign (admin, member, viewer)
  4. Click Add Mapping

Examples

IdP GroupOrg RoleEffect
adminsAdminUsers in the “admins” IdP group become org admins
developersMemberUsers in “developers” can create and edit projects
executivesViewerUsers in “executives” get read-only access

Note: Role mappings only apply to users logging in via the mapped enterprise connection. Users invited directly (by email) keep their assigned role.