👤 How to Set Up Single Sign-On (SSO) in Atobi

Single Sign-On (SSO) lets your team log in to Atobi using your organization’s existing Identity Provider (IdP), such as Microsoft Entra ID (Azure AD), Okta, or Google Workspace. This removes the need for separate Atobi passwords and improves security.

Atobi supports two protocols:

SAML 2.0 – widely used in enterprise IdPs like Azure AD or Okta
OpenID Connect (OIDC) – a modern, OAuth 2.0–based protocol

Setup is a two-step process:

Configure your Identity Provider (IdP) to generate the necessary SSO values.
Configure Atobi to use those values.

Setting Up SAML SSO

Step 1: Configure SAML in your Identity Provider

Log in to Azure Portal.
Navigate to Microsoft Entra ID → Enterprise Applications.
Click + New Application.
Choose Create your own application and enter a name (e.g., “Atobi SSO”).
Open the application, then go to Single Sign-On → SAML.
Fill in the following fields (replace <your-subdomain> with your actual Atobi subdomain):
- Identifier (Entity ID): https://<your-subdomain>.atobi.io/
- Reply URL (ACS): https://<your-subdomain>.atobi.io/saml/acs
- Unique User Identifier: user.mail (or the email claim your org uses)
Download the Base64 SAML Signing Certificate.
Optional: Automatic Provisioning

Only supported via a custom app, not the gallery app.
Configure Provisioning → Automatic using the SCIM URL and Bearer token from Atobi.
Changes in Azure propagate to Atobi automatically.

Optional: Automatic Provisioning

Only supported via a custom app, not the gallery app.
Configure Provisioning → Automatic using the SCIM URL and Bearer token from Atobi.
Changes in Azure propagate to Atobi automatically.

Step 2: Configure SAML in Atobi

In Atobi Web App, go to Platform Settings → Single Sign-On → "+Add" and select Saml2.

Note: Only users with Owner rights have access to Platform Settings.

You’ll see the setup form:

Is enabled → Switch on to activate this SSO provider.
Icon → Upload the IdP’s logo (e.g. Google, Microsoft) so users can quickly recognize the login option.
Name → A label for this provider (e.g. Microsoft Entra ID, Okta, Google SSO)..
Identity provider entityId → Identifier from your IdP.
Identity provider login endpoint → Login URL / SSO endpoint from your IdP.
Identity provider X509 certificate → Paste the downloaded certificate.
Automatically create users if not exist → Toggle if you want Atobi to auto-create accounts for new users.
Attributes →

Save and test login.

Setting up OpenID Connect (OIDC)

Log in to your Identity Provider (IdP).
Register a new application:

Azure: App Registration → New Registration
Okta: Applications → Add Application
Google Workspace: API & Services → Credentials → Create OAuth Client ID

Select login method: OpenID Connect / OAuth 2.0.
Set the Redirect URI:

Use: https://<your-subdomain>.atobi.io/oidc/callback (replace <your-subdomain> with your actual Atobi subdomain)
This tells the IdP where to send users after login.

Copy key values from your IdP:

Client ID – generated by your IdP for this application
Client Secret – generated by your IdP
Issuer / Authority URL – the OIDC endpoint for your IdP (e.g., https://login.microsoftonline.com/{tenant}/v2.0 )

Assign users or groups to the application in your IdP. Only assigned users will be able to log in to Atobi.

Step 2: Configure OIDC in Atobi

In Atobi Web App, go to Platform Settings → Single Sign-On → "+Add" and select OpenID Connect.