SSO Configuration
Configure OIDC or SAML per tenant for automatic redirect to your IdP.
Argy supports OIDC and SAML 2.0 SSO per tenant. Each tenant can connect its own Identity Provider (IdP). The user enters their email — Argy automatically resolves the IdP and redirects them seamlessly.
Prerequisites
PLATFORM_ADMINorARGY_ADMINrole on your tenant- An OIDC or SAML IdP configured with the callback parameters below
- An Argy access token (PAT or admin session)
OIDC Configuration
1. Register the callback in your IdP
Before configuring Argy, register an application in your IdP with these values:
| IdP Parameter | Value |
|---|---|
| Redirect URI | https://iam.argy.cloud/v1/auth/callback/oidc |
| Flow type | Authorization Code + PKCE |
| Required scopes | openid email profile |
For on-prem deployments, replace
iam.argy.cloudwith your IAM instance URL.
2. Create the OIDC configuration
POST /v1/oidc/config
x-tenant-id: <your-tenant-id>
Authorization: Bearer <admin-token>
Content-Type: application/json
{
"issuer": "https://login.microsoftonline.com/<directory-id>/v2.0",
"clientId": "<application-client-id>",
"clientSecret": "<client-secret>",
"scopes": ["openid", "email", "profile"],
"pkceEnabled": true,
"enabled": true
}
The clientSecret is stored AES-256-GCM encrypted and is never returned in plaintext.
3. Optional fields
| Field | Default | Description |
|---|---|---|
discoveryUrl | {issuer}/.well-known/openid-configuration | Discovery URL if different from issuer |
skipNonceValidation | false | For non-compliant IdPs that don't echo the nonce |
scopes | ["openid","email","profile"] | Additional claims (e.g. groups) |
4. IdP-specific examples
Microsoft Entra ID (Azure AD)
{
"issuer": "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
"clientId": "<APP_CLIENT_ID>",
"clientSecret": "<APP_CLIENT_SECRET>",
"scopes": ["openid", "email", "profile"]
}
In the Azure portal:
- App registrations → your app → Authentication
- Add
https://iam.argy.cloud/v1/auth/callback/oidcas a Redirect URI (type: Web) - Tokens: enable ID tokens
Okta
{
"issuer": "https://<domain>.okta.com/oauth2/default",
"clientId": "<CLIENT_ID>",
"clientSecret": "<CLIENT_SECRET>"
}
In Okta:
- Applications → create app (OIDC, Web Application)
- Sign-in redirect URIs:
https://iam.argy.cloud/v1/auth/callback/oidc - Grant type: Authorization Code
Google Workspace
{
"issuer": "https://accounts.google.com",
"clientId": "<CLIENT_ID>.apps.googleusercontent.com",
"clientSecret": "<CLIENT_SECRET>"
}
SAML 2.0 Configuration
1. SP metadata to provide to your IdP
| Parameter | Value |
|---|---|
| Entity ID (SP) | https://argy.cloud/saml/metadata |
| ACS URL | https://iam.argy.cloud/v1/auth/saml/acs |
| Binding | HTTP POST |
| NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| Signature required | Yes (assertions + response) |
SP metadata file: https://iam.argy.cloud/v1/saml/metadata
2. Create the SAML configuration
POST /v1/saml/config
x-tenant-id: <your-tenant-id>
Authorization: Bearer <admin-token>
Content-Type: application/json
{
"entityId": "https://idp.yourcompany.com",
"ssoUrl": "https://idp.yourcompany.com/saml/login",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
"wantAssertionsSigned": true,
"wantResponseSigned": true,
"nameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"attributeMapping": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"displayName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"firstName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"lastName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
},
"enabled": true
}
3. IdP-specific examples
Microsoft Entra ID (SAML)
In Azure portal → Enterprise applications → create app:
- Single sign-on → SAML
- Identifier (Entity ID):
https://argy.cloud/saml/metadata - Reply URL (ACS):
https://iam.argy.cloud/v1/auth/saml/acs - Download the certificate (Base64) from "SAML Signing Certificate"
Okta (SAML)
In Okta → Applications → create (SAML 2.0):
- Single sign on URL:
https://iam.argy.cloud/v1/auth/saml/acs - Audience URI:
https://argy.cloud/saml/metadata - Attribute Statements: map
email,firstName,lastName
Login flow
Once configured, the flow is entirely automatic for your users:
- User opens
https://app.argy.cloudand enters their email - Argy detects the tenant and SSO config → redirects to your IdP
- User authenticates on your IdP
- Returns to Argy with an active session — JIT provisioning on first login
No manual action required from end users.
Management & rotation
Update configuration
PUT /v1/oidc/config
x-tenant-id: <tenant-id>
Authorization: Bearer <admin-token>
{ "clientSecret": "<new-secret>" }
Temporarily disable
PUT /v1/oidc/config
{ "enabled": false }
When SSO is disabled, magic links become available again.
Delete
DELETE /v1/oidc/config
Verification
After configuration, test the flow from a private browser window:
- Open
https://app.argy.cloud/login - Enter an email address from your domain
- You should be redirected to your IdP without having to select a provider manually
- After IdP authentication, you should land directly in Argy
If errors occur, check audit logs in the Argy portal (Governance → Audit) — every SSO login attempt is logged with a detailed error code.