/settings/security/sso, either by toggling on Microsoft sign-in through the shared Entra app or by federating a bring-your-own SAML IdP. Entra handles multi-factor authentication, and only employees who already have a matching record in your organization can sign in.
Overview
The SSO settings page (SsoSettingsPage) is the entry point for org admins to enable staff sign-in. It offers two paths:
- Microsoft sign-in (recommended). A single toggle that lets staff sign in with the shared Entra app you already connected at
/settings/integrations/entra. Encore uses the verified email domains Microsoft Graph reports for your tenant to route federated logins — no DNS verification or SAML metadata needed. This is the right choice for almost everyone. - Advanced: bring your own SAML IdP. A guided wizard (
SsoSetupWizard) for organizations that must federate through a SAML 2.0 identity provider other than the shared Entra app. Adds your domain, verifies DNS ownership, and registers SAML metadata.
/settings/integrations/entra, which syncs directory, calendar, SharePoint, and Teams data. SSO is the login path; the Entra integration is the machine-to-machine connection.
Who it’s for
- Org admins with the
pf.sso.managepermission can set up, update, or remove an SSO provider. - All staff with a work email at a verified domain can sign in with SSO once the provider is active.
Before you start
- Confirm you have the
pf.sso.managepermission. Without it, the SSO page shows a permission notice and neither the toggle nor the SAML wizard can be launched. - Only employees that already exist in your organization’s
hr_employeesrecords can sign in via SSO. Add staff records first. - For Microsoft sign-in: complete Entra ID guided setup first so admin consent is granted and verified domains are cached.
- For the SAML path only: you need DNS edit access for the email domain you want to federate (to publish a TXT verification record), plus your SAML metadata URL and Entity ID from your IdP.
Enable Microsoft sign-in (recommended)
Use this path when the same Entra tenant that powers provisioning should also power staff login.Connect Entra ID first
/settings/integrations/entra. The integration must be Connected (green health badge) before the SSO toggle becomes available.Open the SSO settings page
/settings/security/sso. The Microsoft sign-in (recommended) section lists the verified domains Encore has cached from Microsoft Graph.Verify domains (if prompted)
Toggle Microsoft sign-in on
Test sign-in
Supabase Azure provider checklist
The shared Entra app must be configured on Supabase Auth’s Azure provider for user sign-in to work. The SSO settings page includes a collapsible Supabase Azure provider checklist with the same items:Failed-sign-in audit markers
Failed OIDC sign-ins are written to the PF-04 audit log with no detail surfaced to the user. Operators can search the audit log for these actions:Advanced: SAML SSO (bring your own IdP)
Use this path only if you need to federate through a non-shared SAML IdP — for example, a strict tenant-isolation policy or a non-Entra identity provider.Open the SAML wizard
/settings/security/sso and select Set up SAML SSO under the Advanced section. The SsoSetupWizard opens.Add your domain
acme.com). The wizard creates a pending pf_sso_domain_claims row and a draft pf_org_sso_providers row, then issues a DNS TXT verification token.Verify ownership
sso-domain-verify. The wizard polls the claim status; it will not advance until the claim flips to verified.Paste IdP metadata
sso-provider-update to attach the metadata to the draft provider.Review and activate
sso-provider-register, which registers the SAML provider with Supabase and sets its status to active. The wizard then emits a PF-04 audit event. Run a test sign-in from an incognito window to confirm the round-trip.Sign in with SSO
Once a provider is active, federated users sign in from the standard Encore sign-in screen:- On the sign-in page, select Sign in with SSO.
- Enter your work email. The client derives the domain and calls
supabase.auth.signInWithSSO({ domain }). - You are redirected to your organization’s Entra login, complete MFA there, and return to Encore authenticated.
- A PF-49 session record is created. The Encore MFA challenge (PF-79) is skipped because the IdP has already asserted MFA.
Key concepts
Domain ownership verification
Domain ownership verification
verification_token. This prevents another tenant from registering your domain and hijacking sign-ins. A domain claim must be in the verified state before its provider can be activated.Known-employees-only sign-in
Known-employees-only sign-in
email claim against hr_employees for the resolved org. If no employee matches, sign-in is blocked, no auth user is created, and the user sees a clear error. Add staff records (or use the Entra ID directory sync at /settings/integrations/entra) before inviting users to sign in.MFA delegation
MFA delegation
One active provider per domain
One active provider per domain
Audit trail
Audit trail
Update or remove a provider
Use the same wizard surface for ongoing changes:- Update metadata or domains — re-run the wizard to call
sso-provider-updatewith new SAML metadata or an additional verified domain. - Disable or delete — call
sso-provider-deleteto remove the Supabase provider and clear the registry. Users at affected domains revert to email and password sign-in.
pf.sso.manage and emit PF-04 audit events.
Troubleshooting
Domain verification stays pending
Domain verification stays pending
Test sign-in returns 'no matching employee'
Test sign-in returns 'no matching employee'
hr_employees row in this organization. Create the staff record (or sync from Entra) and retry. SSO never creates new employees on the fly.Activation rejected with 'domain not verified'
Activation rejected with 'domain not verified'
sso-provider-register blocks activation while any selected domain is still in pending or failed state. Return to the verification step until every domain is verified.Related
Entra ID integration
Sessions & devices
Staff security settings
Audit logs
Documentation sources
Documentation sources
- src/platform/settings/pages/SsoSettingsPage.tsx
- src/platform/auth/sso/SsoSetupWizard.tsx
- src/platform/auth/sso/useSsoSetup.ts
- src/platform/auth/sso/useSsoLogin.ts
- src/platform/auth/Auth.tsx
- src/routes/platform.tsx
- supabase/functions/sso-domain-verify
- supabase/functions/sso-provider-register
- supabase/functions/sso-provider-update
- supabase/functions/sso-provider-delete
- supabase/functions/sso-revoke-unmatched