Single Sign-On#

Novaza SSO supports industry-standard authentication protocols so that your team can log in using your organization’s existing identity provider. When SSO is configured, users do not need a separate Novaza password — they authenticate through your trusted identity system, and Novaza grants access automatically.

Supported Protocols#

  • OpenID Connect (OIDC) — recommended for cloud providers such as Google Workspace, Microsoft Entra ID, and Okta
  • SAML 2.0 — required by some enterprise identity providers and legacy systems (Enterprise plan only)
  • Social Login — Google and Microsoft consumer/workplace accounts (available on all plans)

Configuring OIDC#

  1. In your identity provider, create a new OAuth 2.0 / OIDC application. Use the following redirect URI:
    https://id.novaza.ai/realms/novaza/broker/<provider-alias>/endpoint
    The <provider-alias> value is shown in the Novaza SSO configuration screen after you add the provider.
  2. Note the Client ID and Client Secret from your provider.
  3. In Novaza, go to SSO → Settings → Single Sign-On → Add Provider → OIDC.
  4. Enter a Provider Name (e.g., “Google Workspace”), the Client ID, Client Secret, and the provider’s Discovery URL (e.g., https://accounts.google.com).
  5. Configure Attribute Mapping — map the OIDC claims from your provider to Novaza user fields:
    • sub → User ID
    • email → Email address
    • name → Full name
    • groups or a custom claim → Novaza roles
  6. Set the Auto-provision option to automatically create a Novaza user account on first login if one does not exist.
  7. Click Save and Test to verify the configuration with a live login attempt.

Configuring SAML 2.0#

  1. In Novaza, go to SSO → Settings → Single Sign-On → Add Provider → SAML 2.0.
  2. Download the Service Provider Metadata XML and upload it to your identity provider to register Novaza as an SP.
  3. Enter your identity provider’s SSO URL, Entity ID, and X.509 Certificate in the Novaza configuration form.
  4. Configure attribute statements in your IdP to pass email, name, and role information.
  5. Test the configuration by clicking Test SAML Login.

Social Login#

To enable Google or Microsoft social login for workspace users:

  1. Go to SSO → Settings → Social Login.
  2. Toggle on Google and/or Microsoft.
  3. Optionally restrict social login to specific email domains (e.g., @yourcompany.com) to prevent sign-ins from personal accounts.

Social login creates a linked account automatically on first use if an existing user with the same email exists, or if auto-provisioning is enabled.

SSO Enforcement#

In SSO → Settings → Single Sign-On → Enforcement, you can:

  • Require SSO — prevent all users from logging in with a username/password; all logins must go through a configured provider. This locks out users who do not have an account in your identity provider.
  • Allow both — users can log in with either their Novaza password or SSO (default).

We recommend enabling enforcement only after verifying that all active users can successfully authenticate via the SSO provider.

Session and Token Settings#

Configure session behavior in SSO → Settings → Sessions:

  • Session duration — how long a user stays logged in without re-authenticating (default: 8 hours)
  • Idle timeout — log out automatically after a period of inactivity (default: disabled)
  • Concurrent sessions — allow or restrict multiple simultaneous sessions per user
Backward Roles & Permissions Groups Forward

© 2026 Novaza. All rights reserved.