Connect any identity provider. AuthFI supports SAML 2.0, OIDC federation, and LDAP/Active Directory.
Supported providers
Okta
SAML 2.0 or OIDC. Upload IdP metadata or discovery URL.
Azure AD (Entra)
SAML 2.0 or OIDC. Enterprise app registration.
Google Workspace
SAML 2.0. Custom SAML app.
OneLogin
SAML 2.0. SAML connector.
PingIdentity
SAML 2.0 or OIDC. Application configuration.
Active Directory
LDAP / LDAPS. Host, port, base DN, bind credentials.
Any OIDC provider
Discovery URL, client_id, client_secret.
Any SAML IdP
Upload IdP metadata XML or paste cert + URLs.
SAML 2.0
Create a SAML connection
curl -X POST https://api.authfi.app/manage/v1/acme/connections
-H "X-API-Key: sk_..."
-d '{
"name": "Okta SSO",
"strategy": "saml",
"is_active": true,
"saml_idp_sso_url": "https://acme.okta.com/app/xxx/sso/saml",
"saml_entity_id": "http://www.okta.com/xxx",
"saml_certificate": "-----BEGIN CERTIFICATE-----\nMIIC...\n-----END CERTIFICATE-----",
"saml_name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"attribute_mapping": {
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
}
}'AuthFI SP metadata
Each connection gets a metadata endpoint:
GET https://acme.authfi.app/saml/{connId}/metadataUpload this XML to your IdP or use these values:
- Entity ID:
https://acme.authfi.app - ACS URL:
https://acme.authfi.app/auth/saml/{connId}/callback - Name ID Format:
emailAddress
SAML flow
1. User clicks "Login with Okta"
2. AuthFI redirects to Okta with SAML AuthnRequest
3. User authenticates at Okta
4. Okta POSTs SAML assertion to AuthFI ACS URL
5. AuthFI validates assertion, creates/links user
6. AuthFI issues JWT tokens
7. User is logged inOIDC federation
curl -X POST https://api.authfi.app/manage/v1/acme/connections
-H "X-API-Key: sk_..."
-d '{
"name": "Azure AD",
"strategy": "oidc",
"is_active": true,
"oidc_discovery_url": "https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration",
"oidc_client_id": "app-registration-id",
"oidc_client_secret": "app-secret",
"oidc_scopes": "openid profile email"
}'LDAP / Active Directory
curl -X POST https://api.authfi.app/manage/v1/acme/connections
-H "X-API-Key: sk_..."
-d '{
"name": "Corporate AD",
"strategy": "ldap",
"is_active": true,
"ldap_host": "ldap.corp.internal",
"ldap_port": 636,
"ldap_use_tls": true,
"ldap_base_dn": "dc=corp,dc=internal",
"ldap_bind_dn": "cn=authfi-svc,ou=ServiceAccounts,dc=corp,dc=internal",
"ldap_bind_password": "...",
"ldap_user_filter": "(sAMAccountName={username})"
}'Domain routing
Map email domains to connections. When a user enters alice@acme.com, AuthFI automatically redirects to the right IdP.
curl -X PATCH https://api.authfi.app/manage/v1/acme/connections/{connId}
-H "X-API-Key: sk_..."
-d '{ "email_domains": ["acme.com", "acme.io"] }'Multiple domains can point to one connection. The identifier-first flow (POST /auth/login/identify) returns the matched connection for the email domain.
User provisioning
Just-In-Time (JIT)
When a user logs in via SSO for the first time, AuthFI automatically creates a user account from the SAML/OIDC attributes. No pre-provisioning needed.
SCIM Inbound
For directory sync, configure SCIM on your IdP to push user create/update/delete to:
https://api.authfi.app/scim/v2/acme/Users
Authorization: Bearer <scim-token>See SCIM Provisioning for details.
Group claims
AuthFI can map IdP group claims to AuthFI groups:
- SAML: Map
groupsattribute → AuthFI groups - OIDC: Map
groupsclaim → AuthFI groups - LDAP: Map AD group membership → AuthFI groups
Groups synced from SSO are used for role assignment, AuthFI Connect mapping, and eBPF access policies.
Plan availability
| Feature | Build | Ship | Scale |
|---|---|---|---|
| Social login (Google, GitHub) | Yes | Yes | Yes |
| SAML 2.0 | — | Yes | Yes |
| OIDC federation | — | Yes | Yes |
| LDAP / AD | — | Yes | Yes |
| SSO connections | 0 | 5 | Unlimited |
| Domain routing | — | Yes | Yes |
| SCIM inbound | — | Add-on | Yes |