Novus Technologies

Docs

SSO (SAML / OIDC) · Enterprise

Federate sign-in to sso.novusflow.tech or your own IdP. Enterprise plan only.

How it works

When SSO federation is enabled, the workspace defers authentication to sso.novusflow.tech over OIDC. The bridge maps the IdP's email claim to a local User, ensures a Membership row exists in the workspace, and mints a Novusflow JWT for the session.

Enabling SSO

  • Upgrade the workspace to Pro.
  • Set SSO_FEDERATION_ENABLED=true on the API.
  • Set SSO_ISSUER, SSO_CLIENT_ID, SSO_REDIRECT_URI.
  • Workspace admins → Members → "Use SSO for this workspace" toggle.

Endpoints

GET  /sso/login?workspaceId=<id>  → { authorizeUrl }
GET  /sso/callback?code=&state=   → mints session, redirects to /dashboard

Bring your own IdP

sso.novusflow.tech is one acceptable issuer; any standards-compliant OIDC provider (Okta, Azure AD, Google Workspace, Auth0, Keycloak) works. Point SSO_ISSUER at the provider's .well-known/openid-configuration root.

Previous

Members, roles & RBAC

Next

Per-workspace branding