Skip to main content
SSO is available on Enterprise plans only. Contact sales to upgrade.
Single Sign-On (SSO) allows your team members to authenticate using your organization’s identity provider (IdP), providing centralized access management and enhanced security.

Supported Providers

EngageFabric supports two SSO protocols:

SAML 2.0

Industry standard for enterprise SSO. Works with Okta, Azure AD, OneLogin, and more.

OpenID Connect

Modern OAuth 2.0-based protocol. Works with Google Workspace, Auth0, Keycloak, and more.

Setting Up SAML SSO

Step 1: Get Your Service Provider Details

First, retrieve your SAML metadata from the API: 
curl -X GET https://api.engagefabric.com/api/v1/enterprise/sso/metadata \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"
Response: 
{
  "entityId": "https://api.engagefabric.com/api/v1/auth/sso/your-org/metadata",
  "acsUrl": "https://api.engagefabric.com/api/v1/auth/sso/your-org/callback",
  "certificate": "-----BEGIN CERTIFICATE-----\n..."
}

Step 2: Configure Your Identity Provider

Add EngageFabric as a new application in your IdP:
  1. Go to Applications > Create App Integration
  2. Select SAML 2.0
  3. Enter the following settings:
    • Single Sign-On URL: {acsUrl from above}
    • Audience URI (SP Entity ID): {entityId from above}
    • Name ID Format: EmailAddress
  4. Under Attribute Statements, add:
    • emailuser.email
    • firstNameuser.firstName
    • lastNameuser.lastName
  5. Save and copy the Metadata URL or download the IdP metadata

Step 3: Configure EngageFabric

Update your SSO configuration with the IdP details: 
curl -X PUT https://api.engagefabric.com/api/v1/enterprise/sso \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "SAML",
    "displayName": "Company SSO",
    "samlEntityId": "https://idp.company.com/saml/metadata",
    "samlSsoUrl": "https://idp.company.com/saml/sso",
    "samlCertificate": "-----BEGIN CERTIFICATE-----\nMIID...\n-----END CERTIFICATE-----",
    "autoProvision": true,
    "defaultRole": "MEMBER",
    "allowedDomains": ["company.com"]
  }'

Setting Up OIDC SSO

Step 1: Create an OAuth Application

In your identity provider, create a new OAuth/OIDC application:
  1. Go to Google Cloud Console
  2. Navigate to APIs & Services > Credentials
  3. Click Create Credentials > OAuth client ID
  4. Select Web application
  5. Add redirect URI: https://api.engagefabric.com/api/v1/auth/sso/your-org/callback
  6. Copy the Client ID and Client Secret

Step 2: Configure EngageFabric

curl -X PUT https://api.engagefabric.com/api/v1/enterprise/sso \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "OIDC",
    "displayName": "Company SSO",
    "oidcIssuer": "https://accounts.google.com",
    "oidcClientId": "YOUR_CLIENT_ID",
    "oidcClientSecret": "YOUR_CLIENT_SECRET",
    "oidcScopes": ["openid", "profile", "email"],
    "autoProvision": true,
    "defaultRole": "MEMBER",
    "allowedDomains": ["company.com"]
  }'

Configuration Options

FieldTypeDescription
providerstringSAML or OIDC
displayNamestringFriendly name shown on login button
autoProvisionbooleanAuto-create users on first login
defaultRolestringRole for auto-provisioned users
allowedDomainsarrayRestrict to specific email domains

SAML-Specific Fields

FieldDescription
samlEntityIdIdP Entity ID from metadata
samlSsoUrlIdP SSO endpoint URL
samlCertificateIdP X.509 certificate

OIDC-Specific Fields

FieldDescription
oidcIssuerIdP issuer URL (e.g., https://accounts.google.com)
oidcClientIdOAuth client ID
oidcClientSecretOAuth client secret
oidcScopesRequested scopes (default: openid, profile, email)

Testing Your Configuration

Before enforcing SSO, test that it works correctly: 
curl -X POST https://api.engagefabric.com/api/v1/enterprise/sso/test \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"
Response: 
{
  "valid": true,
  "loginUrl": "https://idp.company.com/saml/sso?SAMLRequest=..."
}
Visit the loginUrl in a browser to test the full SSO flow.

Auto-Provisioning

When autoProvision is enabled:
  1. New users are automatically created on first SSO login
  2. They’re assigned the defaultRole you specified
  3. Their name and email are populated from the IdP
  4. They don’t need a separate invitation
Auto-provisioned users count toward your team member limit. Monitor your usage to avoid exceeding plan limits.

Domain Restrictions

Use allowedDomains to restrict which email domains can authenticate: 
{
  "allowedDomains": ["company.com", "subsidiary.com"]
}
Users with email addresses outside these domains will be denied access, even if they successfully authenticate with your IdP.

Disabling SSO

To disable SSO and revert to password authentication: 
curl -X DELETE https://api.engagefabric.com/api/v1/enterprise/sso \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"
Disabling SSO will require all users to set passwords. Ensure users have password recovery options before disabling.

API Reference

MethodEndpointDescription
GET/v1/enterprise/ssoGet current SSO configuration
PUT/v1/enterprise/ssoCreate or update SSO configuration
DELETE/v1/enterprise/ssoDisable SSO
POST/v1/enterprise/sso/testTest SSO configuration
GET/v1/enterprise/sso/metadataGet SAML metadata for IdP setup

Troubleshooting

Ensure you’ve copied the complete IdP certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
Check that:
  • autoProvision is set to true
  • The user’s email domain is in allowedDomains (if set)
  • You haven’t reached your plan’s team member limit
Ensure the callback URL in your IdP exactly matches: https://api.engagefabric.com/api/v1/auth/sso/{your-org-slug}/callback

Custom Domains

Configure custom domains for your API and admin console

Team Management

Manage team members and roles