Enterprise SSO Integration Guide

Enterprise customers require Single Sign-On (SSO) integration for their tracio.ai dashboard. This guide covers how to connect tracio.ai with your identity provider using SAML 2.0 or OpenID Connect (OIDC), with specific instructions for the three most common providers: Okta, Auth0, and Azure AD.

Supported Protocols

tracio.ai supports two SSO protocols: SAML 2.0 and OpenID Connect. SAML is the traditional enterprise standard, widely supported by legacy identity providers. OIDC is the modern standard built on OAuth 2.0, with simpler implementation and better mobile support. We recommend OIDC for new integrations and SAML for organizations that have standardized on it.

Both protocols follow the same flow: the user attempts to access the tracio.ai dashboard, is redirected to your identity provider for authentication, and is redirected back to tracio.ai with a signed assertion or token. tracio.ai validates the assertion, creates or updates the user session, and grants access based on the mapped role.

Okta Integration

For Okta, create a new application integration in your Okta admin console. Select OIDC as the sign-in method and Web Application as the application type. Set the sign-in redirect URI to https://dashboard.tracio.ai/auth/callback/oidc. Set the sign-out redirect URI to https://dashboard.tracio.ai/auth/logout.

In the tracio.ai dashboard under Settings > Authentication, enter your Okta domain, client ID, and client secret. tracio.ai will auto-discover the OIDC endpoints from your Okta metadata URL. Configure group-to-role mapping to assign tracio.ai roles (Admin, Analyst, Viewer) based on Okta group membership.

Auth0 Integration

Create a new Regular Web Application in your Auth0 dashboard. Add https://dashboard.tracio.ai/auth/callback/oidc to the Allowed Callback URLs. Add https://dashboard.tracio.ai to the Allowed Logout URLs. Enable the appropriate connections (database, social, enterprise) under the application's Connections tab.

In tracio.ai, enter your Auth0 domain, client ID, and client secret. Auth0's OIDC discovery endpoint at https://your-domain.auth0.com/.well-known/openid-configuration provides all necessary metadata. Use Auth0 Rules or Actions to include custom claims in the ID token for role mapping.

Azure AD Integration

In the Azure portal, navigate to Azure Active Directory > App registrations > New registration. Set the redirect URI to https://dashboard.tracio.ai/auth/callback/oidc. Under Certificates & secrets, create a new client secret. Under API permissions, ensure openid, profile, and email permissions are granted.

In tracio.ai, enter your Azure AD tenant ID, client ID, and client secret. The OIDC metadata URL follows the pattern https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration. Map Azure AD groups or app roles to tracio.ai roles under the role mapping configuration.

Role Mapping and Provisioning

tracio.ai supports three roles: Admin (full access including API key management and billing), Analyst (read/write access to events, signals, and rules), and Viewer (read-only dashboard access). Roles are mapped from your identity provider's groups or claims.

We also support SCIM 2.0 for automated user provisioning and deprovisioning. When an employee is added to the appropriate group in your identity provider, they are automatically provisioned in tracio.ai with the correct role. When they are removed, their access is revoked within minutes. SCIM ensures that user lifecycle management stays centralized in your identity provider.