SSO / SAML / SCIM

Orkestra supports Single Sign-On via SAML 2.0 and OpenID Connect (OIDC), plus automatic provisioning with SCIM 2.0. All options require an Organization subscription.

Which option to choose?

  • SAML 2.0: the enterprise standard. Compatible with Okta, OneLogin, Ping Identity, Azure AD (Entra ID), Google Workspace.
  • OIDC: more modern, ideal if your IdP is Auth0, Okta OIDC, Google Workspace, or newer providers.
  • SCIM 2.0: optional add-on. Automates user creation, update and deletion from your IdP. SCIM groups map to Orkestra Areas.

If your IdP supports both, we recommend SAML for maturity and compatibility. Enable SCIM on top to avoid manual user maintenance.

Set up SAML 2.0

1. In Orkestra

  1. Go to Organization settings → SSO → SAML → New.
  2. Orkestra returns three values: ACS URL, Entity ID and metadata XML.
  3. Copy these values — you'll need them in your IdP.

2. In your IdP

  1. Create a new SAML 2.0 application.
  2. Paste Orkestra's ACS URL and Entity ID.
  3. Configure the attributes: email (required), firstName, lastName.
  4. Download the IdP's metadata XML (or copy the certificate + SSO endpoint URL).

3. Back in Orkestra

  1. Upload the IdP's metadata XML (or paste the values manually).
  2. Enable Force SSO if you want all org members to log in only via SSO (disables password login).
  3. Add allowed domains (e.g. yourcompany.com). Only users with those emails can log in.
  4. Save and test with a test account.

Set up OIDC

The process is similar, but uses Settings → SSO → OIDC → New. You'll need:

  • IdP Issuer URL (e.g. https://your-tenant.okta.com/oauth2/default)
  • Client ID
  • Client Secret
  • Scopes (openid profile email)

Orkestra configures the redirect URIs and endpoints automatically. You only need to copy the 4 values from the IdP into Orkestra.

Set up SCIM 2.0

SCIM requires SSO to be configured first (SAML or OIDC). The steps:

  1. In Orkestra: Settings → SSO → SCIM → Generate token. Copy it — shown only once.
  2. In your IdP (Okta, Azure AD, etc.): add a SCIM 2.0 app, configure the endpoint https://api.orkestra.team/v1/scim/v2 and paste the token in the Authorization: Bearer ... header.
  3. Assign the users and groups you want to provision.
  4. Your IdP will start creating, updating and deactivating users automatically.

Group to area mapping

SCIM groups map automatically to Orkestra Areas with the same name. If you create a "Marketing" group in your IdP, a "Marketing" Area is created in Orkestra. When you add a user to the group, they're added to the area with MEMBER role by default.

You can change the default role or the Area mode (OPEN/RESTRICTED) from Orkestra after SCIM creates the area. Changes are respected in future syncs.

Troubleshooting

  • "SAML assertion invalid" error: verify that the IdP's server time and Orkestra's are synced (±5 min tolerance).
  • Users not provisioned by SCIM: check the log at Settings → SSO → SCIM → Log. Usually a scope or token issue.
  • "Force SSO" locked me out: contact support with your org ID. We can temporarily disable force-SSO so you can recover access.