👤 How to Set Up Single Sign-On (SSO) in Atobi

Single Sign-On (SSO) lets your team log in to Atobi using your organization’s existing Identity Provider (IdP), such as Microsoft Entra ID (Azure AD), Okta, or Google Workspace. This removes the need for separate Atobi passwords and improves security.

Atobi supports two protocols:

  • SAML 2.0 – widely used in enterprise IdPs like Azure AD or Okta
  • OpenID Connect (OIDC) – a modern, OAuth 2.0–based protocol

Setup is a two-step process:

  1. Configure your Identity Provider (IdP) to generate the necessary SSO values.
  2. Configure Atobi to use those values.

In This Article:

  1. Setting Up SAML SSO
  2. Setting up OpenID Connect (OIDC)
  3. Attributes & Automatic User Creation

Setting Up SAML SSO

(Example below uses Microsoft Entra ID — Azure AD)

  1. Log in to Azure Portal.
  2. Navigate to Microsoft Entra ID → Enterprise Applications.
  3. Click + New Application.
  4. Choose Create your own application and enter a name (e.g., “Atobi SSO”).
  5. Open the application, then go to Single Sign-On → SAML.
  6. Fill in the following fields:
    • Identifier (Entity ID):https://identity.atobi.io
    • Reply URL (ACS): https://identity.atobi.io/Saml2/Acs (case sensitive)
    • Unique User Identifier: user.mail (or the email claim your organization uses)
  7. Download the Base64 SAML Signing Certificate.

Step 2: Configure SAML in Atobi

  1. In Atobi Web App, go to Platform Settings → Single Sign-On → "+Add" and select Saml2.

Note: Only users with Owner rights have access to Platform Settings.

  1. Complete the setup form:
  • Is enabled → Switch on to activate this SSO provider.
  • Icon → Upload the IdP’s logo (e.g., Google, Microsoft) so users can recognize the login option.
  • Name → A label for this provider (e.g., “Microsoft Entra ID,” “Okta,” or “Google SSO”).
  • Identity provider entityId → Identifier from your IdP.
  • Identity provider login endpoint → Login URL / SSO endpoint from your IdP.
  • Identity provider X509 certificate → Paste the downloaded certificate.
  • Automatically create users if not exist → Toggle ON if you want Atobi to create accounts for new users automatically.
  • Attributes → Map user attributes as needed (see details here).
  1. Save and test login to verify everything works.

Setting up OpenID Connect (OIDC)

Step 1: Configure OIDC in your Identity Provider

  1. Log in to your Identity Provider (IdP).
  2. Register a new application:
    • Azure: App Registration → New Registration
    • Okta: Applications → Add Application
    • Google Workspace: API & Services → Credentials → Create OAuth Client ID
  3. Select login method: OpenID Connect / OAuth 2.0.
  4. Set the Redirect URI:
    • https://identity.erapp.dk/signin-oidc

This tells the IdP where to send users after login.

  1. Copy key values generated by your IdP for this application:
  • Client ID – generated for the application
  • Client Secret – generated for the application
  • Issuer / Authority URL – the OIDC endpoint (e.g., https://login.microsoftonline.com/{tenant}/v2.0 )
  1. Assign users or groups to the application. Only assigned users will be able to log in to Atobi.

Step 2: Configure OIDC in Atobi

  1. In Atobi Web App, go to Platform Settings → Single Sign-On → "+Add" and select OpenID Connect.

Note: Only users with Owner rights have access to Platform Settings.

  1. Complete the setup form:
  • Is enabled → Switch on to activate this SSO provider.
  • Icon → Upload the IdP logo (e.g., Google, Microsoft) so users can recognize the login option.
  • Name → Label for this provider (e.g., “Login with Okta”).
  • Identity provider clientId → Client ID from your IdP.
  • Identity provider authority → Issuer / Discovery URL from your IdP.
  • Identity provider client secret → Client Secret from your IdP.
  • Automatically create users if not exist → Toggle ON to enable automatic account creation.
  • Attributes → Map user attributes as needed (see details here).
  1. Save and test login to verify everything works.

Attributes & Automatic User Creation

When you enable SSO in Atobi, you can map attributes from your Identity Provider (IdP) to automatically configure user accounts. This ensures new users are set up correctly and consistently when they log in for the first time.

User Lookup

  • Atobi matches users by email/username and externalUserId.
  • If no email or username is provided, the system uses the unique identifier from the SAML or OIDC response.

Location & Profession

  • Atobi checks the location and profession provided in the SAML/OIDC response. Locations are looked up by locationName and externalLocationId . Professions are looked up by professionName and professionSlug .
  • If a location or profession doesn’t exist and automatic creation is enabled, Atobi creates them using the provided locationName and professionName . Newly created locations require defaultParentLocation and locationType, and will be assigned accordingly.

Default Audience

  • Newly created locations and professions are automatically added to the defaultAudience value.

Notifications

  • Owners receive push notifications whenever new users, locations, or professions are added through SSO.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.