Skip to content

Single Sign-On (SSO)

superglue supports Single Sign-On through Okta OpenID Connect (OIDC).

When SSO is enabled:

  • An Okta provider button appears on the login page.
  • Users are provisioned just-in-time — their superglue account is created on first login, with no manual invitation step.
  • Organization membership and roles are managed in superglue after the account exists.

In the Okta admin console, create an OIDC - Web Application:

  • Sign-in redirect URI: https://<your-superglue-domain>/api/auth/oauth2/callback/okta
  • Grant type: Authorization Code (PKCE is used automatically)

Note the Client ID and Client Secret.

Variable Required Description
AUTH_PROVIDERS Yes Include okta in the comma-separated provider list.
OKTA_CLIENT_ID Yes OIDC application client ID.
OKTA_CLIENT_SECRET Yes OIDC application client secret.
OKTA_ISSUER Yes Your Okta org URL, e.g. https://your-domain.okta.com (the Org Authorization Server).
AUTH_DISABLE_SIGNUP Yes true/false. When true, self-service account registration is blocked.
AUTH_DISABLE_INVITES Yes true/false. When true, organization invitations cannot be created or accepted.

The following applies to Okta SSO deployments.

To require everyone to sign in through SSO, enable only the SSO provider and disable email/password:

Terminal window
AUTH_PROVIDERS=okta
OKTA_CLIENT_ID=...
OKTA_CLIENT_SECRET=...
OKTA_ISSUER=https://your-domain.okta.com

Only providers listed in AUTH_PROVIDERS appear on the login page.

AUTH_DISABLE_SIGNUP and AUTH_DISABLE_INVITES are required booleans and must be set explicitly on every deployment — the server refuses to start if either is missing.

  • AUTH_DISABLE_SIGNUP=true blocks self-service registration. Users who already have an account, and users provisioned just-in-time through Okta, can still sign in.
  • AUTH_DISABLE_INVITES=true blocks organization invitations from being created, resent, or accepted.

For a pure SSO-only posture where accounts exist only because Okta provisioned them, set both to true:

Terminal window
AUTH_DISABLE_SIGNUP=true
AUTH_DISABLE_INVITES=true

Setting both to true without an Okta provider is rejected at startup, because it would leave no way for any account to be created.

  • Provider-driven login. The login page shows exactly the providers enabled in deployment config.
  • Existing users are unaffected. Email, Google, and GitHub accounts continue to work when their providers remain enabled. Enabling Okta only adds a login option.

When a user is deactivated in your identity provider, it stops issuing tokens for them, so they can no longer sign in to superglue. Their existing superglue account and any active sessions are not automatically revoked — remove the user from Control Panel → Organization if you need to terminate access immediately.