varsafe

Appearance

Single Sign-On (SSO)

Configure SAML 2.0 or OIDC so your team members sign in through your identity provider.

Prerequisites

  • Team plan — SSO is a Team plan feature
  • Owner or Admin role — only owners and admins can configure SSO
  • A configured identity provider (Okta, Azure AD, Google Workspace, OneLogin, etc.)

SAML 2.0 Setup

1. Get your SP metadata

In the dashboard, go to Teams → your team → SSO. Click Configure SSO and select SAML 2.0. The SP metadata section shows:

FieldValue
Entity IDhttps://varsafe.dev/api/auth/sso/sp/{providerId}
ACS URLhttps://varsafe.dev/api/auth/sso/callback/{providerId}

Copy these values into your identity provider's SAML app configuration.

2. Configure your IdP

In your identity provider, create a new SAML application and paste the Entity ID and ACS URL from above. Then collect:

  • Entry Point URL — Your IdP's SSO login URL
  • Certificate — The IdP's signing certificate in PEM format
  • Issuer (optional) — The IdP's entity ID, if different from entry point

3. Enter IdP details in varsafe

Back in the dashboard SSO settings, fill in:

  1. Entry Point URL — Paste the IdP SSO URL
  2. Certificate — Paste the full PEM certificate (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
  3. Issuer — Optional. Enter if your IdP requires it

Click Save to create the SSO configuration.

4. Verify your domain

Enter the email domain your team uses (e.g., acme.com). varsafe uses this domain to route login requests to your IdP.

OIDC Setup

1. Create an OIDC application in your IdP

Register a new application with your identity provider. Set the redirect URI to:

https://varsafe.dev/api/auth/sso/callback/{providerId}

2. Collect credentials

From your IdP, collect:

  • Discovery URL — The OpenID Connect discovery endpoint (e.g., https://accounts.google.com/.well-known/openid-configuration)
  • Client ID — The application client ID
  • Client Secret — The application client secret

3. Configure in varsafe

In the dashboard, go to Teams → your team → SSO. Click Configure SSO and select OIDC.

  1. Discovery URL — Paste the discovery endpoint
  2. Client ID — Paste the client ID
  3. Client Secret — Paste the client secret

Click Save.

4. Verify your domain

Enter the email domain for SSO routing, same as SAML setup.

How SSO Login Works

Once SSO is configured and a domain is verified:

  1. User enters their email on the varsafe login page
  2. varsafe checks the email domain against configured SSO providers
  3. If a match is found, the user is redirected to the IdP login page
  4. After IdP authentication, the user is redirected back to varsafe
  5. A varsafe session is created automatically

Users with SSO-enabled domains are routed to SSO automatically — no separate login URL needed.

Managing SSO

Enable / Disable

Toggle SSO on or off from Teams → your team → SSO. Disabling SSO does not delete the configuration — team members fall back to email/password or OAuth login.

Update Configuration

Click Edit in the SSO settings panel to update IdP details (certificate rotation, new endpoints, etc.).

Delete SSO

Click Delete to permanently remove the SSO configuration. Team members will need to use another login method.

WARNING

Deleting SSO is permanent. Members who only used SSO will need to set a password or add a passkey before they can sign in again.

Troubleshooting

Clock skew errors

SAML assertions have a time window. varsafe allows up to 5 minutes of clock skew. If your IdP's server clock is further off, sync it with NTP.

Certificate format

The certificate must be in PEM format. If you have a .cer or .der file, convert it:

bash
openssl x509 -inform DER -in cert.cer -out cert.pem

Paste the full PEM including the BEGIN and END lines.

Domain mismatch

SSO routing matches the email domain exactly. If your team uses multiple domains (e.g., acme.com and acme.io), configure each domain in the SSO settings.

User not redirected to IdP

  • Verify the domain is marked as verified in SSO settings
  • Confirm the user's email matches the configured domain
  • Check that SSO is enabled (not just configured)

SAML assertion failures

  • Verify the ACS URL in your IdP matches varsafe's ACS URL exactly
  • Check that the Entity ID matches
  • Ensure the certificate hasn't expired

OIDC errors

  • Verify the discovery URL is accessible and returns valid JSON
  • Confirm the redirect URI in your IdP matches varsafe's callback URL
  • Check that the client secret is correct

© 2026 varsafe. All rights reserved.