Skip to main content

Single sign-on

This topic describes how to configure single sign-on (SSO) for your organization in QoderWork CN and Qoder CN CLI Enterprise Standard Edition. Both SAML 2.0 and OIDC are supported.

Overview

Single sign-on (SSO) lets your organization's members authenticate with your corporate identity provider (IdP) without needing separate Qoder credentials. Qoder supports two mainstream SSO protocols:
  • SAML 2.0: A mature, XML-based enterprise authentication standard, widely used by IdPs such as Okta, Microsoft Entra ID (formerly Azure AD), OneLogin, and Alibaba Cloud IDaaS.
  • OIDC (OpenID Connect): A modern identity protocol built on OAuth 2.0 with one-click endpoint auto-discovery via a Discovery URL. Typical providers include Okta, Azure AD, Google Workspace, Auth0, Authing, and Alibaba Cloud RAM.

Benefits of SSO

  • Enhanced security: Centralize authentication through your corporate identity provider.
  • Improved user experience: Access all enterprise applications with a single set of credentials.
  • Simplified user management: Users from verified domains are automatically provisioned and added to your organization on first sign-in.

How to choose a protocol

ProtocolUse case
SAMLYour IdP only supports SAML; you need IdP-initiated SSO; or you have an existing SAML-based enterprise authentication system.
OIDCYour IdP supports OIDC or OAuth 2.0; you want auto-discovery via a Discovery URL; or you prefer a lightweight JSON-based integration.
Only one SSO protocol can be enabled per organization at a time. To switch protocols, disable the current one before creating a new configuration.

Prerequisites

Before configuring SSO, make sure you have the following:
  • Administrator permissions: You are an administrator of the organization.
  • Identity provider permissions: You can create and configure applications in your organization's IdP.
  • DNS access: You can add a TXT record to your organization's email domain for verification.

Configuration process

Regardless of whether you choose SAML or OIDC, the SSO configuration process includes the following steps:
img

Step 1: Verify your email domain

Before configuring SSO, verify ownership of your company's email domain so that only users from a verified company domain can sign in through your organization's SSO. For instructions, see Domain verification.

Step 2: Create an SSO configuration

  1. As an administrator, go to Organization Settings > Security & Identity.
  2. Select SAML Settings or OIDC Settings depending on your IdP.
  • SAML
  • OIDC
Create a SAML configuration for your organization. Qoder automatically generates the SP certificate and private key. After initialization, Qoder generates the following information for later use when configuring your IdP:
  • SP Entity ID
  • SP Metadata URL
  • SP ACS (Assertion Consumer Service) URL
  • SP Certificate and Private Key
Example SP information:

Step 3: Configure the identity provider (IdP)

  • SAML
  • OIDC
You can configure your SAML IdP in two ways:

Method A: Automatic configuration (recommended)

Use this method if your IdP provides a metadata URL:
  1. On the SAML Settings page, find the IDP Metadata Configuration (Identity Provider Metadata Configuration) section.
  2. Select the Metadata URL (Import from URL) configuration mode.
  3. Enter your IdP metadata URL (for example, https://your-idp.example.com/app/metadata).
  4. Click Save.
The system automatically retrieves and parses:
  • IDP Entity ID
  • SSO URL
  • Signing certificate

Method B: Manual configuration

Use this method if your IdP does not provide a metadata URL:
  1. On the SAML Settings page, select Manual Configuration mode.
  2. Fill in the following fields:
  • IDP Entity ID: The entity identifier of your identity provider.
  • IDP SSO URL: The SSO sign-in endpoint URL.
  • IDP Public Certificate: The PEM-formatted signing certificate (optional, but recommended).
  1. Click Save.

Step 4: Configure attribute mapping

  • SAML
  • OIDC
You can configure your SAML IdP in two ways:

Method A: Automatic configuration (recommended)

Use this method if your IdP provides a metadata URL:
  1. On the SAML Settings page, find the IDP Metadata Configuration (Identity Provider Metadata Configuration) section.
  2. Select the Metadata URL (Import from URL) configuration mode.
  3. Enter your IdP metadata URL (for example, https://your-idp.example.com/app/metadata).
  4. Click Save.
The system automatically retrieves and parses:
  • IDP Entity ID
  • SSO URL
  • Signing certificate

Method B: Manual configuration

Use this method if your IdP does not provide a metadata URL:
  1. On the SAML Settings page, select Manual Configuration mode.
  2. Fill in the following fields:
  • IDP Entity ID: The entity identifier of your identity provider.
  • IDP SSO URL: The SSO sign-in endpoint URL.
  • IDP Public Certificate: The PEM-formatted signing certificate (optional, but recommended).
  1. Click Save.

Step 5: Test the configuration

Test the SSO configuration before enabling it to make sure everything is set up correctly:
  1. On the SSO Configuration page, click Test SSO.
  2. The system runs a series of validation checks (certificates and signatures, metadata endpoints, discovery document, attribute mapping, and so on).
  3. Review the test results.

Step 6: Enable SSO

After all tests pass, you can enable SSO:
  1. On the SSO Configuration page, make sure all validation checks have passed.
  2. Turn on the Enable SSO toggle.
  3. Confirm the details in the dialog and activate.
After activation:
  • The SSO status changes to Active.
  • Members can now sign in using SAML or OIDC SSO.
  • Users with an email address in a verified domain are automatically redirected to your organization's SSO sign-in after entering their email on the login page.
After enabling SSO, we recommend that the current administrator stay signed in and have another user with a matching domain email test the SSO sign-in. This ensures that if the SSO configuration has issues, the administrator can still adjust it.