Single Sign-On (SSO)

Configure SAML 2.0 or OIDC-based single sign-on for your organization

Single Sign-On lets your team sign in to Sim through your company's identity provider instead of managing separate passwords. Sim supports both OIDC and SAML 2.0.

Setup

1. Open SSO settings

Go to Settings → Enterprise → Single Sign-On in your workspace.

2. Choose a protocol

ProtocolUse when
OIDCYour IdP supports OpenID Connect — Okta, Microsoft Entra ID, Auth0, Google Workspace
SAML 2.0Your IdP is SAML-only — ADFS, Shibboleth, or older enterprise IdPs

3. Fill in the form

Single Sign-On configuration form showing Provider Type (OIDC), Provider ID, Issuer URL, Domain, Client ID, Client Secret, Scopes, and Callback URL fields

Fields required for both protocols:

FieldWhat to enter
Provider IDA short slug identifying this connection, e.g. okta or azure-ad. Letters, numbers, and dashes only.
Issuer URLThe identity provider's issuer URL. Must be HTTPS.
DomainYour organization's email domain, e.g. company.com. Users with this domain will be routed through SSO at sign-in.

OIDC additional fields:

FieldWhat to enter
Client IDThe application client ID from your IdP.
Client SecretThe client secret from your IdP.
ScopesComma-separated OIDC scopes. Default: openid,profile,email.

For OIDC, Sim automatically fetches endpoints (authorization_endpoint, token_endpoint, userinfo_endpoint, jwks_uri) from your issuer's /.well-known/openid-configuration discovery document. You only need to provide the issuer URL.

SAML additional fields:

FieldWhat to enter
Entry Point URLThe IdP's SSO service URL where Sim sends authentication requests.
Identity Provider CertificateThe Base-64 encoded X.509 certificate from your IdP for verifying assertions.

4. Copy the Callback URL

The Callback URL shown in the form is the endpoint your identity provider must redirect users back to after authentication. Copy it and register it in your IdP before saving.

OIDC providers (Okta, Microsoft Entra ID, Google Workspace, Auth0):

https://sim.ai/api/auth/sso/callback/{provider-id}

SAML providers (ADFS, Shibboleth):

https://sim.ai/api/auth/sso/saml2/callback/{provider-id}

5. Save and test

Click Save. To test, sign out and use the Sign in with SSO button on the login page. Enter an email address at your configured domain — Sim will redirect you to your identity provider.

Provider Guides

Okta (OIDC)

In Okta (official docs):

  1. Go to Applications → Create App Integration
  2. Select OIDC - OpenID Connect, then Web Application
  3. Set the Sign-in redirect URI to your Sim callback URL: 
    https://sim.ai/api/auth/sso/callback/okta
  4. Under Assignments, grant access to the relevant users or groups
  5. Copy the Client ID and Client Secret from the app's General tab
  6. Your Okta domain is the hostname of your admin console, e.g. dev-1234567.okta.com

In Sim:

FieldValue
Provider TypeOIDC
Provider IDokta
Issuer URLhttps://dev-1234567.okta.com/oauth2/default
Domaincompany.com
Client IDFrom Okta app
Client SecretFrom Okta app

The issuer URL uses Okta's default authorization server, which is pre-configured on every Okta org. If you created a custom authorization server, replace default with your server name.

Microsoft Entra ID (OIDC)

In Azure (official docs):

  1. Go to Microsoft Entra ID → App registrations → New registration
  2. Under Redirect URI, select Web and enter your Sim callback URL: 
    https://sim.ai/api/auth/sso/callback/azure-ad
  3. After registration, go to Certificates & secrets → New client secret and copy the value immediately — it won't be shown again
  4. Go to Overview and copy the Application (client) ID and Directory (tenant) ID

In Sim:

FieldValue
Provider TypeOIDC
Provider IDazure-ad
Issuer URLhttps://login.microsoftonline.com/{tenant-id}/v2.0
Domaincompany.com
Client IDApplication (client) ID
Client SecretSecret value

Google Workspace (OIDC)

In Google Cloud Console (official docs):

  1. Go to APIs & Services → Credentials → Create Credentials → OAuth 2.0 Client ID
  2. Set the application type to Web application
  3. Add your Sim callback URL to Authorized redirect URIs: 
    https://sim.ai/api/auth/sso/callback/google-workspace
  4. Copy the Client ID and Client Secret

In Sim:

FieldValue
Provider TypeOIDC
Provider IDgoogle-workspace
Issuer URLhttps://accounts.google.com
Domaincompany.com
Client IDFrom Google Cloud Console
Client SecretFrom Google Cloud Console

To restrict sign-in to your Google Workspace domain, configure the OAuth consent screen and ensure your app is set to Internal (Workspace users only) under User type. Setting the app to Internal limits access to users within your Google Workspace organization.

ADFS (SAML 2.0)

In ADFS (official docs):

  1. Open AD FS Management → Relying Party Trusts → Add Relying Party Trust
  2. Choose Claims aware, then Enter data about the relying party manually
  3. Set the Relying party identifier (Entity ID) to your Sim base URL: 
    https://sim.ai
  4. Add an endpoint: SAML Assertion Consumer Service (HTTP POST) with the URL: 
    https://sim.ai/api/auth/sso/saml2/callback/adfs
  5. Export the Token-signing certificate from Certificates: right-click → View Certificate → Details → Copy to File, choose Base-64 encoded X.509 (.CER). The .cer file is PEM-encoded — rename it to .pem before pasting its contents into Sim.
  6. Note the ADFS Federation Service endpoint URL (e.g. https://adfs.company.com/adfs/ls)

In Sim:

FieldValue
Provider TypeSAML
Provider IDadfs
Issuer URLhttps://sim.ai
Domaincompany.com
Entry Point URLhttps://adfs.company.com/adfs/ls
CertificateContents of the .pem file

For ADFS, the Issuer URL field is the SP entity ID — the identifier ADFS uses to identify Sim as a relying party. It must match the Relying party identifier you registered in ADFS.

How sign-in works after setup

Once SSO is configured, users with your domain (company.com) can sign in through your identity provider:

  1. User goes to sim.ai and clicks Sign in with SSO
  2. They enter their work email (e.g. alice@company.com)
  3. Sim redirects them to your identity provider
  4. After authenticating, they are returned to Sim and added to your organization automatically
  5. They land in the workspace

Users who sign in via SSO for the first time are automatically provisioned and added to your organization — no manual invite required.

Password-based login remains available. Forcing all organization members to use SSO exclusively is not yet supported.

Common Questions

Any identity provider that supports OIDC or SAML 2.0. This includes Okta, Microsoft Entra ID (Azure AD), Google Workspace, Auth0, OneLogin, JumpCloud, Ping Identity, ADFS, Shibboleth, and more.
The domain (e.g. company.com) is how Sim routes users to the right identity provider. When a user enters their email on the SSO sign-in page, Sim matches their email domain to a registered SSO provider and redirects them there.
No. For OIDC providers, Sim automatically fetches the authorization, token, and JWKS endpoints from the discovery document at {issuer}/.well-known/openid-configuration. You only need to provide the issuer URL.
Sim creates an account for them automatically and adds them to your organization. No manual invite is needed. They are assigned the member role by default.
Yes. Enabling SSO does not disable password-based login. Users can still sign in with their email and password if they have one. Forced SSO (requiring all users on the domain to use SSO) is not yet supported.
Organization owners and admins can configure SSO. You must be on the Enterprise plan.
The Callback URL (also called Redirect URI or ACS URL) is the endpoint in Sim that receives the authentication response from your identity provider. For OIDC providers it follows the format: https://sim.ai/api/auth/sso/callback/{provider-id}. For SAML providers it is: https://sim.ai/api/auth/sso/saml2/callback/{provider-id}. You must register this URL in your identity provider before SSO will work.
Open Settings → Enterprise → Single Sign-On and click Edit. Update the fields and save. The existing provider configuration is replaced.

Self-hosted setup

Self-hosted deployments use environment variables instead of the billing/plan check.

Environment variables

# Required
SSO_ENABLED=true
NEXT_PUBLIC_SSO_ENABLED=true

# Required if you want users auto-added to your organization on first SSO sign-in
ORGANIZATIONS_ENABLED=true
NEXT_PUBLIC_ORGANIZATIONS_ENABLED=true

You can register providers through the Settings UI (same as cloud) or by running the registration script directly against your database.

Script-based registration

Use this when you need to register an SSO provider without going through the UI — for example, during initial deployment or CI/CD automation.

# OIDC example (Okta)
SSO_ENABLED=true \
NEXT_PUBLIC_APP_URL=https://your-instance.com \
SSO_PROVIDER_TYPE=oidc \
SSO_PROVIDER_ID=okta \
SSO_ISSUER=https://dev-1234567.okta.com/oauth2/default \
SSO_DOMAIN=company.com \
SSO_USER_EMAIL=admin@company.com \
SSO_OIDC_CLIENT_ID=your-client-id \
SSO_OIDC_CLIENT_SECRET=your-client-secret \
bun run packages/db/scripts/register-sso-provider.ts
# SAML example (ADFS)
SSO_ENABLED=true \
NEXT_PUBLIC_APP_URL=https://your-instance.com \
SSO_PROVIDER_TYPE=saml \
SSO_PROVIDER_ID=adfs \
SSO_ISSUER=https://your-instance.com \
SSO_DOMAIN=company.com \
SSO_USER_EMAIL=admin@company.com \
SSO_SAML_ENTRY_POINT=https://adfs.company.com/adfs/ls \
SSO_SAML_CERT="-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----" \
bun run packages/db/scripts/register-sso-provider.ts

The script outputs the callback URL to configure in your IdP once it completes.

To remove a provider:

SSO_USER_EMAIL=admin@company.com \
bun run packages/db/scripts/deregister-sso-provider.ts
PreviousEnterprise
NextAccess Control

On this page

Setup
1. Open SSO settings
2. Choose a protocol
3. Fill in the form
4. Copy the Callback URL
5. Save and test
Provider Guides
Okta (OIDC)
Microsoft Entra ID (OIDC)
Google Workspace (OIDC)
ADFS (SAML 2.0)
How sign-in works after setup
Self-hosted setup
Environment variables
Script-based registration