SSO and SCIM
SAML 2.0 and OIDC single sign-on with SCIM 2.0 automated user provisioning. Available on Sovereign and Enterprise plans.
Supported Protocols
| Protocol | Standard | Use Case |
|---|---|---|
| SAML 2.0 | OASIS SAML 2.0 | Enterprise IdP integration (Okta, Azure AD, ADFS, Ping, OneLogin) |
| OIDC | OpenID Connect 1.0 | Modern IdP integration (Auth0, Google Workspace, Keycloak) |
| SCIM 2.0 | RFC 7644 | Automated user provisioning and deprovisioning |
SAML 2.0 Configuration
SAML SSO is configured per tenant by an operator through the Admin API or Admin Dashboard.
Required Information from Your IdP
- IdP Entity ID: The unique identifier of your identity provider
- SSO URL: The SAML endpoint where login requests are sent
- X.509 Certificate: The public certificate used to verify SAML assertions
- NameID Format: Typically
emailAddress
RadMah AI SP Metadata
- Entity ID:
https://api.radmah.ai/saml/metadata - ACS URL:
https://api.radmah.ai/saml/acs - SLO URL:
https://api.radmah.ai/saml/slo
OIDC Configuration
OpenID Connect provides a modern alternative to SAML for identity providers that support it.
Required Information
- Issuer URL: The OpenID Connect discovery endpoint
- Client ID: Application client ID from your IdP
- Client Secret: Stored encrypted in RadMah AI SecretRef (never exposed after creation)
- Scopes:
openid email profile
Redirect URI
OIDC Redirect URI
https://app.radmah.ai/auth/callbackSCIM 2.0 Provisioning
SCIM enables automated user lifecycle management -- create, update, deactivate, and delete users directly from your identity provider.
SCIM Endpoint
SCIM Base URL
https://admin-api.radmah.ai/v1/admin/scim/v2Supported SCIM Resources
| Resource | Endpoint | Operations |
|---|---|---|
| Users | /scim/v2/Users | Create, Read, Update, Deactivate, Delete |
| Groups | /scim/v2/Groups | Create, Read, Update, Delete |
SCIM Authentication
⚠Bearer Token Required
SCIM endpoints are authenticated with a bearer token. The token is configured per tenant and stored as a SecretRef. Contact your RadMah AI operator to provision the SCIM bearer token for your tenant.
User Mapping
SSO users are mapped to RadMah AI tenant memberships:
- Email from SAML assertion or OIDC claims is matched to
TenantUser.email - New users are created automatically on first SSO login (JIT provisioning) with
memberrole - SCIM can override the default role assignment based on group membership
- Deactivation via SCIM sets membership status to
disabled
Admin API Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /v1/admin/tenants/{id}/sso | Get SSO configuration for tenant |
| PUT | /v1/admin/tenants/{id}/sso | Update SSO configuration |
| DELETE | /v1/admin/tenants/{id}/sso | Remove SSO configuration |
Plan Availability
| Feature | Free | Sovereign | Enterprise |
|---|---|---|---|
| SAML 2.0 | No | Yes | Yes |
| OIDC | No | Yes | Yes |
| SCIM 2.0 | No | Yes | Yes |