OIDC & SAML
AvailableEnterprise single sign-on with OpenID Connect and SAML 2.0. Integrate with your identity provider for secure, centralized authentication.
What you can do
Setup Instructions
Choose your protocol
Decide whether to use OIDC (recommended for most providers) or SAML 2.0 (for legacy enterprise systems).
Configure your Identity Provider
Add tapioca as an application in your IdP (Okta, Azure AD, Google Workspace, etc.). Use the callback URLs from tapioca settings.
OIDC Callback: https://your-domain.tapioca.app/auth/callback
SAML ACS: https://your-domain.tapioca.app/auth/saml/acsEnter IdP details in tapioca
Go to Settings → Authentication → SSO and enter your IdP configuration (client ID, secret, or SAML metadata).
Configure role mapping
Map IdP groups or roles to tapioca roles for automatic permission assignment.
Test and enable
Test the SSO flow with a test user before enabling for your organization.
Configuration Reference
| Option | Type | Required | Description |
|---|---|---|---|
| provider_type | enum | Yes | OIDC or SAML |
| client_id | string | Yes | OAuth Client ID (OIDC only) |
| client_secret | string | Yes | OAuth Client Secret (OIDC only) |
| issuer_url | string | No | OIDC Issuer URL for auto-discovery |
| saml_metadata_url | string | No | SAML IdP metadata URL (SAML only) |
| role_attribute | string | No | Attribute containing user roles Default: groups |
| role_mapping | object | No | Map IdP roles to tapioca roles |
| auto_create_users | boolean | No | Create users on first login Default: true |
Troubleshooting
Verify the callback/ACS URL is correctly configured in your IdP. Check for trailing slashes.
Check your role_attribute configuration and ensure the IdP is sending group claims. Verify role_mapping is correct.
Ensure you are using the correct IdP certificate. Certificates expire and may need updating.
Related Integrations
Need help with this integration?
Our team is here to help you get set up and running.