Trust & SecuritystableUpdated 2026-06-27

SSO and SAML

Configure OIDC or SAML SSO, verify domain ownership, and enforce SSO safely.

Kadryn supports enterprise SSO through OIDC and SAML providers. SSO is configured per workspace from Security > Enterprise identity.

  1. Register the OIDC or SAML provider in Kadryn.
  2. Copy the callback, ACS, or metadata URL shown by Kadryn into your identity provider.
  3. Click Get DNS record in Kadryn.
  4. Add the TXT verification value to the DNS zone for the provider domain.
  5. Wait for DNS propagation.
  6. Click Verify domain.
  7. Enforce SSO only after at least one provider domain is verified.

OIDC

Use OIDC when your identity provider exposes an issuer URL, client ID, and client secret.

Kadryn displays the OIDC callback URL after registration. Copy that exact URL into the identity provider redirect URI allowlist. A single mismatch in scheme, host, path, or provider ID can break sign-in.

SAML

Use SAML when your identity provider provides an entity ID or issuer, an SSO entry point, and an X.509 certificate.

Kadryn displays:

  • SAML ACS URL.
  • SAML SP metadata URL.
  • Provider ID.

Copy the ACS URL into the identity provider Single Sign-On URL field. Use the metadata URL when your identity provider supports metadata import.

For local testing, the SAML audience is usually:

text
http://localhost:3000/api/auth/sso/saml2/sp/metadata

Domain verification

Pending SSO providers cannot be used for enforcement until the domain is verified.

Kadryn’s UI follows this flow:

text
Get DNS record -> Add TXT record -> Verify domain -> Require SSO

The TXT record panel shows:

  • Type: TXT
  • Name: the domain being verified
  • Value: the verification token returned by the identity provider workflow

Enforcement safety

Do not enable Require SSO until:

  • At least one SSO provider is verified.
  • The current admin has confirmed they can sign in through that provider.
  • Break-glass or recovery access is documented internally.

Kadryn also checks enforcement safety server-side so an admin cannot accidentally lock the workspace out through the UI alone.

Troubleshooting

  • Redirect mismatch: copy the exact callback or ACS URL from Kadryn.
  • Domain still pending: wait for DNS propagation and confirm the TXT record is on the correct domain.
  • SAML response rejected: check ACS URL, audience, certificate, signed assertions, and clock skew.
  • IdP-initiated SAML does not work: start the flow from Kadryn unless your deployment explicitly allows IdP-initiated SAML.