Skip to main content

Single Sign-On (SSO) & SCIM Provisioning

Fluint supports enterprise identity management through SSO and SCIM, allowing your organization to centralize authentication and automate user provisioning.

J
Written by Jake Veatch
Updated over a month ago

Single Sign-On (SSO) & SCIM Provisioning

Overview

Fluint supports enterprise identity management through SSO and SCIM, allowing your organization to centralize authentication and automate user provisioning.

Supported protocols:

Protocol

Purpose

SAML 2.0

Federated authentication via your identity provider

OpenID Connect (OIDC)

OAuth 2.0-based authentication via your identity provider

SCIM 2.0

Automated user provisioning and deprovisioning from your identity provider

Supported identity providers:

  • Okta (SAML, OIDC, SCIM)

  • Microsoft Entra ID / Azure AD (SAML, OIDC, SCIM)

  • Google Workspace (SAML, OIDC)

  • OneLogin (SAML, OIDC, SCIM)

  • JumpCloud (SAML, OIDC, SCIM)

  • CyberArk (SAML, SCIM)

  • Duo, ClassLink, Keycloak, miniOrange, PingFederate, Rippling, Salesforce, Shibboleth (SAML only)

  • Any SAML 2.0 or OIDC-compliant provider via "Other Identity Provider"

Requirements: You must have the Integrations Admin role in Fluint to configure SSO and SCIM. Integrations admins retain break-glass access via email/OAuth login even when SSO is enforced organization-wide.

Setting Up SSO

Navigate to Settings > Authentication in Fluint.

Step 1: Create a connection

  1. Select your protocol: SAML or OIDC

  2. Select your identity provider from the dropdown

  3. Optionally provide a display name (defaults to "{Provider} SSO")

  4. Click Create

After creation, Fluint generates Service Provider details you'll need to configure in your IdP.

Step 2: Copy Service Provider details into your IdP

For SAML connections, Fluint provides:

  • ACS URL (Assertion Consumer Service URL) — the endpoint your IdP posts SAML assertions to

  • Audience URI / Entity ID — the expected audience value in the SAML response

For OIDC connections, Fluint provides:

  • Redirect URI — the OAuth callback URL your IdP redirects to after authentication

Use the copy button next to each value to copy it to your clipboard, then paste it into your IdP's application configuration.

Step 3: Configure IdP details in Fluint

SAML configuration

Field

Required

Description

IdP SSO URL

Yes

The Single Sign-On endpoint from your IdP (e.g., https://your-idp.com/sso/saml)

IdP Entity ID

Yes

The unique identifier / issuer URI for your IdP

X.509 Certificate

Yes

The PEM-format signing certificate from your IdP (must include -----BEGIN CERTIFICATE----- header)

Attribute Mapping

Yes

Maps your IdP's SAML attribute names to the fields Fluint expects (see below)

Attribute Mapping (required for SAML)

Fluint uses Stytch for authentication, which requires three specific attributes in every SAML assertion. You must configure attribute statements in your IdP that send these values, then tell Fluint the attribute name your IdP uses for each:

Fluint field

Description

What to enter

email

User's email address

The Name of the SAML attribute statement that contains the user's email

first_name

User's first name

The Name of the SAML attribute statement that contains the user's first name

last_name

User's last name

The Name of the SAML attribute statement that contains the user's last name

Default attribute names by IdP:

Identity Provider

email

first_name

last_name

Okta

email

firstName

lastName

Microsoft Entra ID

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Google Workspace

email

firstName

lastName

OneLogin

User.email

User.FirstName

User.LastName

JumpCloud

email

firstname

lastname

Fluint pre-fills these defaults when you select a known IdP. Verify the values match your IdP's actual attribute statement names — they are case-sensitive and must match exactly.

OIDC configuration

Field

Required

Description

Issuer URL

Yes

Your IdP's issuer URL (used to auto-discover OIDC endpoints via .well-known/openid-configuration)

Client ID

Yes

The OAuth 2.0 client identifier from your IdP

Client Secret

Yes (first time)

The OAuth 2.0 client secret. Required on initial setup; leave blank when updating to keep the existing secret.

After saving, Fluint auto-discovers and displays the Authorization, Token, UserInfo, and JWKS endpoints from your issuer.

Step 4: Share the organization login URL

Once configured, share your organization's dedicated login URL with your team:

https://app.fluint.io/login/{your-organization-slug}

This URL is displayed in the SSO settings page and can be copied to your clipboard. Users who visit this URL will be directed to authenticate via your IdP.

Example: Setting Up SAML SSO with Okta

In Okta

  1. Go to Applications > Create App Integration

  2. Select SAML 2.0, click Next

  3. Name the app (e.g., "Fluint") and click Next

  4. In the SAML Settings section, enter:

    • Single sign-on URL: Paste the ACS URL from Fluint

    • Audience URI (SP Entity ID): Paste the Audience URI / Entity ID from Fluint

  5. Under Attribute Statements, add three entries:

    • Name: email — Value: user.email

    • Name: firstName — Value: user.firstName

    • Name: lastName — Value: user.lastName

  6. Click Next, then Finish

  7. Go to the Sign On tab of your new application and copy:

    • Sign on URL (this is your IdP SSO URL)

    • Issuer (this is your IdP Entity ID)

    • Download the X.509 Certificate

  8. Assign users/groups to the application under the Assignments tab

In Fluint

  1. Navigate to Settings > Authentication

  2. Create a new SAML connection, select Okta as the IdP

  3. Copy the ACS URL and Audience URI into Okta (step 4 above)

  4. Paste the values from Okta into the Fluint configuration form:

    • IdP SSO URL: The Sign on URL from Okta

    • IdP Entity ID: The Issuer from Okta

    • X.509 Certificate: Paste the full PEM certificate

  5. Verify the attribute mapping defaults are correct (email, firstName, lastName)

  6. Click Save

Connection Test & Setup Doctor

Fluint includes a built-in diagnostic tool for SAML connections called the Connection Health panel. It appears automatically once your connection has been saved.

Configuration checklist

The setup doctor runs automated checks against your configuration:

  • IdP SSO URL — is it configured?

  • IdP Entity ID — is it configured?

  • X.509 Certificate — has one been uploaded?

  • Attribute Mapping — are email, first_name, and last_name all mapped?

Each check shows a pass/fail/warning icon. Click Show details to see the exact values configured for each field.

When all checks pass, the status shows "Ready to test".

Running a connection test

  1. Click Test Connection in the Connection Health panel (enabled only when all config checks pass)

  2. A popup window opens and redirects you to your IdP's login page

  3. Authenticate with your IdP credentials

  4. The popup closes and the result is displayed inline

If the test succeeds, you'll see a success confirmation. Your SSO connection is ready.

If the test fails, Fluint parses the error and provides a targeted diagnosis:

Error

Meaning

How to fix

Connection Not Fully Configured

Required fields are missing

Fill in all required fields in the IdP Configuration section

Email Attribute Missing

IdP isn't sending the email attribute in the SAML response

Add/fix the email attribute statement in your IdP. Make sure the attribute Name matches exactly what's in your attribute mapping.

Invalid SAML Response

Signature verification failed or response malformed

Check that the X.509 certificate matches your IdP's current signing cert, and that ACS URL / Audience URI match

Audience Mismatch

The Audience URI in your IdP doesn't match Fluint's expected value

Copy the Audience URI from the Service Provider Details section and update your IdP

ACS URL Mismatch

The ACS URL (Reply URL) in your IdP doesn't match

Copy the ACS URL from the Service Provider Details section and update your IdP

SCIM Provisioning

SCIM allows your identity provider to automatically create and deactivate user accounts in Fluint.

Setting up SCIM

  1. Navigate to Settings > User Provisioning in Fluint

  2. Select your identity provider (Okta, Microsoft Entra ID, JumpCloud, OneLogin, CyberArk, or Generic)

  3. Optionally name the connection

  4. Click Enable SCIM

Fluint generates two values you'll need:

  • SCIM Base URL — the endpoint your IdP will send provisioning requests to

  • Bearer Token — the authentication token for your IdP to use

Important: The bearer token is only displayed once at creation time. Copy it immediately and store it securely. If you lose it, you'll need to rotate the token (see below).

Configuring your IdP

Enter the SCIM Base URL and Bearer Token into your identity provider's SCIM/provisioning configuration. Refer to your IdP's documentation for the exact steps.

Token rotation

For security, you should periodically rotate your SCIM bearer token. Fluint supports zero-downtime rotation:

  1. Click Rotate Token on the SCIM Connection card

  2. A new token is generated — both the old and new tokens are valid at this point

  3. Copy the new token and update it in your identity provider

  4. Verify provisioning still works with the new token

  5. Click Complete Rotation to invalidate the old token

If something goes wrong, click Cancel Rotation to discard the new token and keep the old one active.

Disabling SCIM

Click Disable SCIM on the SCIM Connection card. This revokes the bearer token and stops your IdP from provisioning or deprovisioning users. Existing users are not affected.

Did this answer your question?