W
webb.in Support
← Back to guides

SSO / SAML

Allow your team to sign in to Webb.in using your existing identity provider — Okta, Azure AD, Google Workspace, or any SAML 2.0 / OIDC-compatible IdP.

Enterprise — OIDC & SAML 2.0

OIDC vs SAML 2.0

OIDC (OpenID Connect)

  • ✓ Simpler configuration
  • ✓ Works with any OIDC-compatible IdP
  • ✓ Modern JSON-based tokens
  • ✓ Available on Enterprise plan

SAML 2.0

  • ✓ Enterprise-grade XML standard
  • ✓ Okta, Azure AD, Google Workspace, Keycloak
  • ✓ Full attribute mapping (role, department)
  • ✓ Available on Enterprise plan

Setting Up OIDC

  1. 1

    Create an OIDC Client in Your IdP

    In Okta, Azure AD, or Keycloak, create a new OpenID Connect application. Set the redirect URI to https://api.webb.in/api/auth/oidc/callback.

  2. 2

    Collect Your Credentials

    Copy your Issuer URL (e.g. https://your-org.okta.com), Client ID, and Client Secret.

  3. 3

    Contact Webb.in to Configure

    Email enterprise@webb.in with your Issuer URL, Client ID, and Client Secret. We will configure your instance within one business day.

  4. 4

    Test the Login Flow

    Go to app.webb.in. You will see a Sign in with SSO button. Click it to complete the OIDC Authorization Code flow through your IdP.

Setting Up SAML 2.0

SAML 2.0 requires configuring your IdP with Webb.in's Service Provider (SP) metadata. Follow these steps:

  1. 1

    Download SP Metadata

    Our Service Provider metadata is available at:

    GET https://api.webb.in/api/auth/saml/metadata

    Import this XML file into your IdP to auto-configure the SP settings.

  2. 2

    Key SP Details

    If your IdP does not support metadata import, configure these values manually:

    Entity ID   : https://api.webb.in
    ACS URL    : https://api.webb.in/api/auth/saml/acs
    Binding    : HTTP-POST
    NameID     : Email Address
  3. 3

    Configure Attribute Mapping in Your IdP

    Map your IdP's user attributes to the following claim names:

    Webb.in fieldAccepted IdP attribute names
    emailemail, emailaddress, http://schemas.xmlsoap.org/.../emailaddress
    firstNamefirstname, givenname, given_name
    lastNamelastname, surname, familyname
    rolerole, http://schemas.microsoft.com/.../role
    departmentdepartment
  4. 4

    Test the SSO Login

    Initiate a login from your IdP (IdP-initiated) or from app.webb.in (SP-initiated). After authentication, you will be landed at the webportal dashboard already logged in.

Supported Identity Providers

Okta

OIDC & SAML 2.0

Microsoft Azure AD

OIDC & SAML 2.0

Google Workspace

OIDC & SAML 2.0

Keycloak

OIDC & SAML 2.0

OneLogin

SAML 2.0

Any OIDC/SAML IdP

Standards-compliant

User Provisioning

When a user signs in via SSO for the first time, Webb.in automatically creates an account for them using the email address from their IdP assertion. Subsequent logins are matched on email — no duplicate accounts are created.

New SSO users are provisioned with an Enterprise tier account by default. Admins can adjust tiers manually from the admin panel or contact enterprise@webb.in.

Frequently Asked Questions

Can users still log in with email and password after SSO is enabled?

Yes, by default. If you want to enforce SSO-only login and disable password login, contact enterprise@webb.in.

Does Webb.in support Just-in-Time (JIT) provisioning?

Yes. Accounts are created automatically on first-time SSO login. No pre-provisioning is required.

Is SCIM provisioning supported?

SCIM is on the roadmap for a future release. Contact us if this is critical for your deployment.

What happens if my IdP is down?

Users who have a Webb.in username and password set can still log in via the standard login form. SSO is an additional login option, not a replacement.