Single Sign-On

Cybrium supports per-tenant Single Sign-On via OIDC (Okta, Auth0, Google Workspace, Keycloak, Entra ID) and SAML 2.0 (ADFS, PingFederate, enterprise IdPs). Once configured, users authenticate through your identity provider and Cybrium accounts are provisioned on first sign-in — no email invite needed.

Plan-gated

SSO is available on Pro and Enterprise plans. SAML 2.0 is Enterprise-only; Pro customers get OIDC.

Tenant admin only

Only Owners and Admins can configure SSO. A misconfigured SSO connection can lock your workspace, so Cybrium keeps password sign-in available for admin break-glass.

Before you start

Collect the following from your IdP admin console:

• OIDC: the discovery URL (usually ends in /.well-known/openid-configuration), client ID, and client secret.
• SAML: your IdP's metadata XML URL or file, along with the expected name-ID format.

Configure OIDC

1. Navigate to Settings → SSO and select the OIDC tab.
2. Paste the discovery URL — Cybrium validates it and auto-populates the token, authorisation, and JWKS endpoints.
3. Paste the client ID and client secret you registered with your IdP.
4. Copy the Redirect URI Cybrium displays and register it with your IdP.
5. Map your IdP role claim to Cybrium's owner, admin, member, or viewer roles, or leave all new users as Member.
6. Toggle Enable for this tenant and save.

Configure SAML

1. Open the SAML tab and upload your IdP metadata XML, or paste its URL.
2. Copy Cybrium's SP Entity ID and ACS URL and register them with your IdP.
3. Map the attributes — email (required), first_name, last_name, and your role claim.
4. Enable and save.

Test the connection

Use the Test SSO button at the bottom of either tab to run a live round-trip against your IdP. A green check confirms end-to-end flow; any error messages are shown inline with the offending claim highlighted.

After enabling, your sign-in page gains a Sign in with SSO button. Email/password sign-in remains available for admins until you explicitly disable it.