Enterprise SSO

Enterprise single sign-on (SSO) lets users authenticate through their organization’s identity provider (IdP) — such as Okta or Microsoft Entra — instead of managing a separate password. This guide walks you through enabling SSO for an organization, configuring the IdP connection, setting up domain-based routing, and testing the integration.

Before you begin, complete the Quick Start guide to set up your basic authentication flow.

Supported providers and protocols

Seal supports SSO connections using SAML 2.0 or OpenID Connect (OIDC) with the following identity providers:

Provider	Protocols
Okta	SAML, OIDC
Microsoft Entra	SAML, OIDC
Generic	SAML, OIDC (any standards-compliant IdP)

Step 1: Create an SSO connection

Each organization in Seal can have one SSO connection. Create it in the Seal portal:

1. Navigate to Organizations and select the organization.

2. Open the Single Sign On tab.

3. Select the identity provider (Okta, Microsoft Entra, or Generic).

4. Select the protocol (SAML or OIDC).

5. Click Create. The connection is created in Draft status.

A draft connection is not active. You need to configure the IdP details and enable the connection before users can authenticate through it.

Step 2: Configure the identity provider

After creating the connection, configure it by exchanging metadata between Seal (the service provider) and the IdP.

SAML configuration

The SSO connection detail page displays the service provider (SP) values your IT admin needs to configure in their IdP:

• SSO URL (Assertion Consumer Service URL) — where the IdP sends the SAML response
• Audience URI / SP Entity ID — identifies Seal to the IdP
• SP Metadata URL — a downloadable XML file containing both values above

Provide these values to the organization’s IT admin. They enter them into their IdP configuration.

Next, configure the IdP details in Seal using one of two methods:

• Metadata URL (recommended): Paste the IdP’s metadata URL. Seal imports the issuer, SSO URL, and signing certificate automatically.
• Manual configuration: Enter the IdP issuer, SSO URL, and upload the signing certificate manually.

Attribute mapping

Seal maps attributes from the IdP’s assertion to internal user fields. The Configure Attributes section displays the current mapping. Edit the mapping to match the attribute names your IdP sends.

Tip

Common IdP attributes include email, firstName, lastName, and groups. The exact attribute names vary by provider. Check your IdP’s documentation for the attribute names it includes in assertions.

Step 3: Test the connection

Before enabling the connection for users, verify it works:

1. On the SSO connection detail page, find the Test Connection section.

2. Click the test button. A new window opens and redirects to the IdP’s sign-in page.

3. Authenticate with a valid account on the IdP.

4. After successful authentication, Seal displays the test results page showing the mapped attributes returned by the IdP.

Review the attribute values to confirm the mapping is correct. If attributes are missing or incorrect, update the attribute mapping or the IdP configuration and test again.

Step 4: Enable the connection

Once testing succeeds, change the connection status from Draft to Published to activate it. Users in the organization can now authenticate through the IdP.

Set up domain-based routing

Domain-based routing automatically directs users to the correct SSO provider based on their email address. When a user signs in with an email like joe@megacorp.org, Seal checks whether megacorp.org is a verified domain for an organization with an active SSO connection. If it matches, the user is redirected to that organization’s IdP.

To configure domain routing:

1. Navigate to Organizations, select the organization, and open the Domains tab.

2. Add the organization’s email domain (for example, megacorp.org).

3. Verify the domain. Once verified, users with matching email addresses are routed to this organization’s SSO connection at sign-in.

Enforce SSO policies

Organization policies control whether SSO is required or optional. Configure policies in the organization’s Overview tab under Policy Settings:

• Require SSO for domain members: Users whose email matches a verified domain must authenticate through SSO. Password and other authentication methods are disabled for these users.
• Require MFA for non-SSO users: Users who do not use SSO (for example, guest users without a matching domain) must set up multi-factor authentication.

Note

Enforcing SSO for domain members ensures that the organization’s IT admin retains control over employee access through their IdP. Users can still be deprovisioned centrally by disabling their IdP account.

Auto-provisioning

SSO connections support automatic user provisioning. When enabled, users who authenticate through the IdP for the first time are automatically created in Seal. Toggle this setting on the SSO connection detail page under Auto Provision User.

Next steps

• Magic Link authentication — enable passwordless sign-in with email verification codes
• Set up organizations — group users by customer with domain routing
• Explore the API reference — manage users, organizations, and sessions programmatically