Single Sign-On (SSO)

Veriproof supports OIDC-based single sign-on for all plans at the Team tier and above. SSO configuration is available under Settings → Account → SSO Configuration.

SSO configuration requires the CustomerAdmin role.

Supported Identity Providers

Provider	Protocol	Notes
Microsoft Entra ID	OIDC	Recommended. Supports Entra External ID tenants.
Google Workspace	OIDC	Requires a Google Cloud OAuth 2.0 client.
Okta	OIDC	Standard Okta application integration.

SAML is not supported. All SSO connections use OpenID Connect (OIDC).

Callback URL

Your identity provider will require the Veriproof callback URL during configuration. The redirect URI to register is:


https://app.veriproof.app/auth/callback

For sandbox environments:


https://sandbox.veriproof.app/auth/callback

Setup Guides

Microsoft Entra ID

Microsoft Entra ID is the recommended identity provider for enterprise Veriproof deployments, particularly when you are already using Microsoft 365 or Azure.

Register an application in Entra ID

Open portal.azure.com and navigate to Microsoft Entra ID → App registrations → New registration.
Set Name to something recognizable, e.g. Veriproof Customer Portal.
Under Supported account types, select the scope appropriate for your organization (typically Single tenant).
Under Redirect URI, choose Web and enter:
```
https://app.veriproof.app/auth/callback
```
Click Register.

Note your Application (client) ID and Tenant ID

On the registration’s Overview page, copy:

Application (client) ID → this is your clientId
Directory (tenant) ID → this is your tenantId

Create a client secret

Go to Certificates & secrets → Client secrets → New client secret.
Set a description and expiry (24 months recommended).
Copy the Value immediately — it is only shown once.

Configure in Veriproof

In the Customer Portal, open Settings, select Account → SSO Configuration, and start the configuration wizard.

Field	Value
Provider	`microsoft`
Client ID	Application (client) ID from step 2
Client Secret	Secret value from step 3
Tenant / Domain	Your Azure Tenant ID (GUID) or `{tenant}.onmicrosoft.com`
Display Name	e.g. `Acme Corp (Microsoft)`

Test the configuration

Click Test Connection. This performs a discovery document fetch and validates the credentials without creating a real login session.

Enable the configuration

Toggle Enabled to activate SSO. Users will see your IdP on the login page alongside email/password.

Google Workspace

Create an OAuth 2.0 client

Open console.cloud.google.com and navigate to APIs & Services → Credentials → Create Credentials → OAuth client ID.
Set Application type to Web application.
Under Authorized redirect URIs, add:
```
https://app.veriproof.app/auth/callback
```
Click Create and copy the Client ID and Client secret.

Configure in Veriproof

Field	Value
Provider	`google`
Client ID	OAuth client ID from Google
Client Secret	OAuth client secret from Google
Domain	Your Workspace domain, e.g. `acme.com`
Display Name	e.g. `Acme Corp (Google)`

Test and enable

Click Test Connection to validate, then toggle Enabled.

Okta

Create an OIDC application in Okta

In your Okta Admin Console, go to Applications → Create App Integration.
Select OIDC – OpenID Connect and Web Application.
Under Sign-in redirect URIs, add:
```
https://app.veriproof.app/auth/callback
```
Save the application and copy the Client ID and Client secret.

Find your Okta domain

Your Okta domain is visible in the top-right of the admin console, e.g. your-org.okta.com.

Configure in Veriproof

Field	Value
Provider	`okta`
Client ID	Okta client ID
Client Secret	Okta client secret
Domain	Your Okta domain, e.g. `your-org.okta.com`
Display Name	e.g. `Acme Corp (Okta)`

Test and enable

Click Test Connection, then toggle Enabled.

Managing Configurations

Listing Configurations


GET /v1/sso/configuration

Returns all SSO configurations for your tenant, including their configId, provider, display name, and enabled status.

Creating or Updating a Configuration


PUT /v1/sso/configuration

Disabling Without Deleting

To temporarily disable an SSO configuration without removing it:


PATCH /v1/sso/configuration/{configId}/disable

This is useful for testing or during IdP maintenance windows. Users will fall back to email/password login while SSO is disabled.

Deleting a Configuration


DELETE /v1/sso/configuration/{configId}

Deleting an SSO configuration is irreversible. Users who sign in exclusively via that IdP will lose portal access until they reset their password or a new SSO configuration is added. Prefer disable over delete unless you are permanently removing the integration.

Multiple SSO Providers

You can configure more than one SSO provider simultaneously. Each enabled configuration appears as a separate button on the Veriproof login page. This is useful when you have departments using different identity systems (e.g. Microsoft Entra for corporate staff and Google Workspace for contractors).

SSO and Role Assignment

Veriproof does not automatically map IdP group memberships to portal roles. After a user authenticates via SSO for the first time, they are created with the CustomerAuditor (least-privilege) role. A CustomerAdmin must then assign the appropriate role(s) from Settings → Team → Members.

Troubleshooting

Symptom	Resolution
”Invalid redirect URI” error from IdP	Verify the exact callback URL `https://app.veriproof.app/auth/callback` is registered in your IdP.
”Configuration not found”	The `configId` may be for a deleted record. Re-run `GET /v1/sso/configuration`.
Login button does not appear	The configuration exists but may be in disabled state. Re-enable it via `PATCH /v1/sso/configuration/{configId}/disable` or the portal toggle.
SSO works but user cannot access features	Check the user’s role assignment — SSO sign-in does not elevate permissions beyond the default `CustomerAuditor`.