Single Sign-On (SAML & OIDC)
Workspaces on the Agency plan can let members sign in through their own identity provider — either via SAML 2.0 or OpenID Connect (OIDC). Both are configured under Settings → Integrations → SAML/SSO and a workspace uses one protocol at a time.
Once SSO is enabled, the login form detects it automatically: when a member enters their email address, a Sign in with SSO button appears.
OpenID Connect (recommended for Authentik, Keycloak, Okta)
You need three values from your IdP:
| Field | Description |
|---|---|
| Discovery URL | The .well-known/openid-configuration URL of your IdP |
| Client ID | From the OAuth2/OIDC client you create in the IdP |
| Client secret | From the same client |
In your IdP, register the redirect URI shown in the Expirly settings form (https://<your-expirly-domain>/api/auth/saml/oidc).
Example: Authentik
- In Authentik, create a Provider of type OAuth2/OpenID Provider with client type Confidential and add the Expirly redirect URI.
- Create an Application and assign the provider.
- The discovery URL is
https://<authentik-domain>/application/o/<application-slug>/.well-known/openid-configuration. - Copy client ID and secret into Expirly, enable OIDC login, and save.
Example: Keycloak
- In your realm, create a Client with Client authentication enabled (confidential) and the Expirly redirect URI under Valid redirect URIs.
- The discovery URL is
https://<keycloak-domain>/realms/<realm>/.well-known/openid-configuration. - Copy the client ID and the secret from the Credentials tab into Expirly, enable OIDC login, and save.
SAML 2.0
For SAML you need the IdP’s SSO URL, the entity ID, and the x509 signing certificate (PEM or raw base64). Authentik and Keycloak both provide SAML providers as well — use SAML only if your organization standardizes on it; OIDC is the simpler setup.
Notes
- SSO credentials (discovery URL, client secret, SAML SSO URL) are stored encrypted (AES-256-GCM).
- Enabling one protocol automatically disables the other — a workspace has exactly one active SSO connection.
- Users keep their existing Expirly account: SSO is linked by email address, so magic-link users can switch to SSO seamlessly.