Novaza SSO on Novaza Docs

User Management

Mon, 01 Jan 0001 00:00:00 +0000

User Management#

User accounts in Novaza SSO represent the individual people who access your workspace. Each user has a profile, a set of roles, and an authentication method. Administrators manage users from the SSO → Users panel.

Creating a User#

Go to SSO → Users → New User.
Enter the user’s email address — this is their login identifier and must be unique within the workspace.
Enter their full name and optionally their job title, department, and phone number.
Assign one or more roles (see Roles & Permissions).
Choose the activation method:
- Send invite email — the user receives an email with a link to set their own password
- Set password manually — you set a temporary password and the user is prompted to change it on first login
Click Create User.

User Profile Fields#

Each user profile stores:

Roles & Permissions

Mon, 01 Jan 0001 00:00:00 +0000

Roles & Permissions#

Novaza SSO uses a Role-Based Access Control (RBAC) model. Permissions are granted to roles, and roles are assigned to users. This makes it easy to manage access for large teams — instead of configuring permissions per user, you configure a small set of roles and assign users to them.

Built-In Roles#

Every workspace starts with these default roles:

Role	Description
Owner	Full access to all products and settings; can manage billing. Only one owner per workspace.
Administrator	Full access to all products and settings; cannot manage billing or transfer ownership.
Member	Standard access to products the user has been granted access to; no access to global settings.
Guest	Read-only access to specific namespaces or channels as explicitly configured.

Built-in roles cannot be deleted, but their permissions can be reviewed (not modified). For custom permission sets, create additional roles.

Single Sign-On

Mon, 01 Jan 0001 00:00:00 +0000

Single Sign-On#

Novaza SSO supports industry-standard authentication protocols so that your team can log in using your organization’s existing identity provider. When SSO is configured, users do not need a separate Novaza password — they authenticate through your trusted identity system, and Novaza grants access automatically.

Supported Protocols#

OpenID Connect (OIDC) — recommended for cloud providers such as Google Workspace, Microsoft Entra ID, and Okta
SAML 2.0 — required by some enterprise identity providers and legacy systems (Enterprise plan only)
Social Login — Google and Microsoft consumer/workplace accounts (available on all plans)

Configuring OIDC#

In your identity provider, create a new OAuth 2.0 / OIDC application. Use the following redirect URI:
```
https://id.novaza.ai/realms/novaza/broker/<provider-alias>/endpoint
```
The <provider-alias> value is shown in the Novaza SSO configuration screen after you add the provider.
Note the Client ID and Client Secret from your provider.
In Novaza, go to SSO → Settings → Single Sign-On → Add Provider → OIDC.
Enter a Provider Name (e.g., “Google Workspace”), the Client ID, Client Secret, and the provider’s Discovery URL (e.g., https://accounts.google.com).
Configure Attribute Mapping — map the OIDC claims from your provider to Novaza user fields:
- sub → User ID
- email → Email address
- name → Full name
- groups or a custom claim → Novaza roles
Set the Auto-provision option to automatically create a Novaza user account on first login if one does not exist.
Click Save and Test to verify the configuration with a live login attempt.

Configuring SAML 2.0#

In Novaza, go to SSO → Settings → Single Sign-On → Add Provider → SAML 2.0.
Download the Service Provider Metadata XML and upload it to your identity provider to register Novaza as an SP.
Enter your identity provider’s SSO URL, Entity ID, and X.509 Certificate in the Novaza configuration form.
Configure attribute statements in your IdP to pass email, name, and role information.
Test the configuration by clicking Test SAML Login.

To enable Google or Microsoft social login for workspace users:

Groups

Mon, 01 Jan 0001 00:00:00 +0000

Groups#

Groups let you organize users into logical sets and assign roles or permissions to multiple users at once. Instead of assigning roles user by user, you create a group, assign roles to the group, and add users as members. Every user inherits the permissions of every group they belong to.

When to Use Groups#

Departments — Sales, Support, Engineering, Finance
Projects — temporary teams working on a specific initiative
Locations — branch offices or regional teams with different access scopes
External — vendors, contractors, or partners who need limited access

Creating a Group#

Open SSO → Groups
Click New group
Enter a name and optional description
Assign one or more roles to the group
Save

Adding Members#

Groups can be populated in three ways:

Password Policies

Mon, 01 Jan 0001 00:00:00 +0000

Password Policies#

Password policies define the rules that user passwords must satisfy when they are created, changed, or rotated. A strong password policy is one of the simplest and most effective ways to protect accounts from credential-based attacks.

Default Policy#

All Novaza workspaces start with a sensible default policy:

Minimum length: 10 characters
At least one letter and one digit
Cannot match the user’s email address
Cannot be one of the user’s last 5 passwords
Expires every 180 days

Administrators can tighten (but not loosen) the default on Professional and Enterprise plans.

Multi-Factor Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Multi-Factor Authentication#

Multi-factor authentication (MFA) adds a second verification step to the login process. Even if a password is stolen, an attacker cannot access the account without also possessing the second factor. Novaza supports several MFA methods so users and administrators can pick the balance of security and convenience that fits their needs.

Supported Methods#

Authenticator app (TOTP) — time-based one-time codes generated by apps such as Google Authenticator, Microsoft Authenticator, 1Password, or Authy
Security keys (WebAuthn / FIDO2) — hardware keys such as YubiKey and platform authenticators such as Touch ID, Face ID, and Windows Hello
Recovery codes — one-time backup codes printed or saved when MFA is first enabled, used when the primary factor is unavailable

SMS-based codes are not supported — they are vulnerable to SIM-swap attacks and are actively discouraged.

LDAP & Active Directory

Mon, 01 Jan 0001 00:00:00 +0000

LDAP & Active Directory Federation#

Novaza SSO can federate with an existing LDAP or Active Directory server so that users authenticate with their corporate directory credentials. User accounts, group memberships, and attributes are synchronized from the directory — you do not need to create and maintain users twice.

LDAP federation is available on Enterprise plans.

How Federation Works#

Administrator configures a connection to the directory (host, bind DN, search base)
Novaza queries the directory for users matching a filter
Matching users are imported into Novaza and kept in sync
When a user signs in, Novaza delegates password verification to the directory
Group memberships from the directory are mapped to Novaza groups

At no point is the user’s directory password stored in Novaza.

Audit Log

Mon, 01 Jan 0001 00:00:00 +0000

Audit Log#

The audit log is an append-only record of security- and identity-relevant events that occur in your Novaza workspace. It is the system of record for compliance, incident investigation, and routine security review.

What is Logged#

Category	Examples
Authentication	successful logins, failed logins, MFA challenges, SSO redirects, logouts
User management	user created, deactivated, deleted, password reset, email changed
Role & permissions	role assigned, role revoked, group membership changed
SSO configuration	identity provider added, certificate rotated, protocol changed
Admin actions	workspace settings changed, MFA policy changed, password policy changed

Application-level actions (records edited, workflows executed, etc.) are logged by each Novaza product separately and are out of scope for the SSO audit log.

Novaza SSO on Novaza Docs

User Management

User Management#

Creating a User#

User Profile Fields#

Roles & Permissions

Roles & Permissions#

Built-In Roles#

Single Sign-On

Single Sign-On#

Supported Protocols#

Configuring OIDC#

Configuring SAML 2.0#

Social Login#

Groups

Groups#

When to Use Groups#

Creating a Group#

Adding Members#

Password Policies

Password Policies#

Default Policy#

Multi-Factor Authentication

Multi-Factor Authentication#

Supported Methods#

LDAP & Active Directory

LDAP & Active Directory Federation#

How Federation Works#

Audit Log

Audit Log#

What is Logged#