SSO Configuration
Set up Single Sign-On for your Vrex workspace
Single Sign-On (SSO) lets your team log in to Vrex using your organization’s identity provider.
Supported Providers
Vrex supports SSO via:
- SAML 2.0 - Works with most enterprise IdPs
- OpenID Connect (OIDC) - For modern OAuth-based systems
Common Identity Providers
| Provider | Protocol | Status |
|---|---|---|
| Microsoft Entra ID (Azure AD) | SAML / OIDC | ✓ Supported |
| Okta | SAML / OIDC | ✓ Supported |
| Google Workspace | OIDC | ✓ Supported |
| OneLogin | SAML | ✓ Supported |
| Ping Identity | SAML | ✓ Supported |
| Other SAML 2.0 IdPs | SAML | ✓ Supported |
Prerequisites
- Vrex workspace on a plan that supports SSO
- Admin access to your identity provider
- Domain ownership verification (for custom domains)
Setup Process
Step 1: Contact Vrex
SSO setup requires coordination. Email support@vrex.no with:
- Your workspace name
- Your identity provider
- Email domain(s) to enable SSO for
- Technical contact information
Our team will provide:
- Vrex SP metadata (for SAML)
- Callback URLs (for OIDC)
- Configuration guidance
Step 2: Configure Your IdP
For Microsoft Entra ID (Azure AD)
- Go to Enterprise Applications → New Application
- Search for “Vrex” or create a custom application
- Configure SAML settings:
- Entity ID:
urn:auth0:vrex:<connection-name> - Reply URL:
https://vrex.eu.auth0.com/login/callback
- Entity ID:
- Download the Federation Metadata XML
- Send to Vrex support
For Okta
- Go to Applications → Add Application
- Select SAML 2.0
- Configure:
- Single Sign-On URL:
https://vrex.eu.auth0.com/login/callback - Audience URI:
urn:auth0:vrex:<connection-name>
- Single Sign-On URL:
- Copy the IdP metadata URL or download metadata
- Send to Vrex support
For Google Workspace
- Go to Admin Console → Apps → SAML Apps
- Click Add App → Add custom SAML app
- Enter Vrex SAML configuration
- Download IdP metadata
- Send to Vrex support
Step 3: Attribute Mapping
Map your IdP attributes to Vrex:
| Vrex Attribute | Common IdP Attribute |
|---|---|
email | user.email |
given_name | user.firstName |
family_name | user.lastName |
name | user.displayName |
email is required. Name attributes are recommended.
Step 4: User Provisioning
Choose how users are added to Vrex:
Just-in-Time (JIT) Provisioning
- Users are created automatically on first login
- No manual user management needed
- Default role assigned to new users
SCIM Provisioning
- Sync users automatically from your IdP
- User lifecycle managed by IdP
- Groups sync to Vrex teams
- Available for enterprise plans
Step 5: Testing
Before enabling for all users:
- Test with a pilot group
- Verify login works
- Check attribute mapping
- Confirm provisioning behavior
Step 6: Enforcement
Once tested, enable SSO enforcement:
- Optional: Users can choose SSO or password
- Required: All users must use SSO (recommended)
User Experience
With SSO enabled:
- User goes to Vrex login
- Enters their email address
- Redirected to company IdP
- Authenticates with company credentials
- Redirected back to Vrex, logged in
Domain Verification
To enable SSO for @company.com:
- Prove domain ownership via DNS TXT record
- Add record:
vrex-verify=<verification-code> - Vrex confirms domain ownership
- SSO enabled for that domain
Troubleshooting
| Issue | Solution |
|---|---|
| “User not found” | Check JIT provisioning is enabled |
| Login loop | Verify callback URL in IdP |
| Wrong attributes | Check attribute mapping |
| Can’t log in with password | SSO enforcement may be enabled |
SSO and Existing Users
When enabling SSO for existing users:
- Accounts with matching email are linked automatically
- Users keep their project access
- Password login is disabled if enforcement is on
Emergency Access
For SSO outages, keep a backup:
- Designated admin with password login
- Or contact Vrex support for temporary access