Skip to Content
IntegrationsSingle Sign-On (SAML & OIDC)

Single Sign-On (SAML & OIDC)

Workspaces on the Agency plan can let members sign in through their own identity provider — either via SAML 2.0 or OpenID Connect (OIDC). Both are configured under Settings → Integrations → SAML/SSO and a workspace uses one protocol at a time.

Once SSO is enabled, the login form detects it automatically: when a member enters their email address, a Sign in with SSO button appears.

You need three values from your IdP:

FieldDescription
Discovery URLThe .well-known/openid-configuration URL of your IdP
Client IDFrom the OAuth2/OIDC client you create in the IdP
Client secretFrom the same client

In your IdP, register the redirect URI shown in the Expirly settings form (https://<your-expirly-domain>/api/auth/saml/oidc).

Example: Authentik

  1. In Authentik, create a Provider of type OAuth2/OpenID Provider with client type Confidential and add the Expirly redirect URI.
  2. Create an Application and assign the provider.
  3. The discovery URL is https://<authentik-domain>/application/o/<application-slug>/.well-known/openid-configuration.
  4. Copy client ID and secret into Expirly, enable OIDC login, and save.

Example: Keycloak

  1. In your realm, create a Client with Client authentication enabled (confidential) and the Expirly redirect URI under Valid redirect URIs.
  2. The discovery URL is https://<keycloak-domain>/realms/<realm>/.well-known/openid-configuration.
  3. Copy the client ID and the secret from the Credentials tab into Expirly, enable OIDC login, and save.

SAML 2.0

For SAML you need the IdP’s SSO URL, the entity ID, and the x509 signing certificate (PEM or raw base64). Authentik and Keycloak both provide SAML providers as well — use SAML only if your organization standardizes on it; OIDC is the simpler setup.

Notes

  • SSO credentials (discovery URL, client secret, SAML SSO URL) are stored encrypted (AES-256-GCM).
  • Enabling one protocol automatically disables the other — a workspace has exactly one active SSO connection.
  • Users keep their existing Expirly account: SSO is linked by email address, so magic-link users can switch to SSO seamlessly.
Last updated on