Single Sign-On (SSO)

Agent Action Firewall supports enterprise SSO via SAML 2.0, enabling centralized authentication through your identity provider.

SAML 2.0 — Industry-standard SSO protocol
JIT Provisioning — Automatic user creation on first login
Domain Verification — Verified domain ownership required
Role Mapping — Map IdP groups to AAF roles

ℹ

SSO is available on Enterprise plans. Contact sales@agentactionfirewall.com to enable SSO for your organization.

Supported Identity Providers

AAF has been tested with:

Provider	Status
Okta	Fully supported
Azure AD (Entra ID)	Fully supported
Google Workspace	Fully supported
OneLogin	Fully supported
Auth0	Fully supported
PingIdentity	Fully supported
JumpCloud	Fully supported
Custom SAML 2.0	Supported

Setup Process

Step 1: Verify Domain Ownership

Before configuring SSO, verify ownership of your email domain:

Go to Settings → SSO → Domains
Click Add Domain
Enter your domain (e.g., company.com)
Add the provided DNS TXT record
Click Verify

DNS record format:

_aaf-verification.company.com TXT "aaf-verify=abc123xyz"

Step 2: Configure Identity Provider

In your IdP, create a new SAML application with these settings:

Setting	Value
ACS URL	`https://auth.agentactionfirewall.com/saml/acs`
Entity ID	`https://agentactionfirewall.com/saml/sp`
Name ID Format	`emailAddress`

Step 3: Download IdP Metadata

Download the SAML metadata XML from your IdP. This contains:

IdP Entity ID
SSO URL
X.509 Certificate

Step 4: Configure AAF

Go to Settings → SSO
Click Configure SAML
Upload IdP metadata XML (or enter manually):
- IdP Entity ID: From your IdP
- SSO URL: IdP login endpoint
- Certificate: X.509 certificate
Click Save

Step 5: Test Connection

Click Test SSO
You'll be redirected to your IdP
Log in with your IdP credentials
Verify you're redirected back to AAF

Attribute Mapping

Required Attributes

SAML Attribute	AAF Field	Notes
`NameID`	Email	Must be user's email
`email`	Email (fallback)	Alternative to NameID

Optional Attributes

SAML Attribute	AAF Field	Default
`firstName`	First name	Parsed from email
`lastName`	Last name	Parsed from email
`displayName`	Display name	`firstName lastName`
`groups`	Role mapping	See below

Custom Attribute Names

If your IdP uses different attribute names:

{
  "attribute_mapping": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "firstName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "lastName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
    "groups": "http://schemas.xmlsoap.org/claims/Group"
  }
}

Role Mapping

Map IdP groups to AAF roles:

Configuration

{
  "role_mapping": {
    "AAF-Admins": "admin",
    "AAF-Members": "member",
    "AAF-Viewers": "viewer"
  },
  "default_role": "member"
}

Group Sync

Mode	Description
Additive	IdP groups add to existing roles
Exclusive	IdP groups replace all roles
Disabled	No automatic role assignment

Configure in Settings → SSO → Role Mapping.

Just-In-Time (JIT) Provisioning

JIT provisioning automatically creates users on first SSO login.

Enabling JIT

Go to Settings → SSO → Provisioning
Enable Just-In-Time Provisioning
Configure default settings:
- Default role
- Default team
- Auto-add to organization

JIT Settings

{
  "jit_provisioning": {
    "enabled": true,
    "default_role": "member",
    "default_team": "new-hires",
    "require_domain_match": true,
    "auto_activate": true
  }
}

Domain Restrictions

Only allow users from verified domains:

{
  "allowed_domains": ["company.com", "subsidiary.com"],
  "require_domain_match": true
}

Enforcement Modes

Optional SSO

Users can login via SSO or email/password:

Good for gradual rollout
SSO users see "Sign in with SSO" button
Password users login normally

Required SSO

Force all users to authenticate via SSO:

Go to Settings → SSO → Enforcement
Select Require SSO for all users
Acknowledge existing password users will be migrated
Click Enable

⚠

Enabling required SSO will lock out any users without a matching IdP account. Ensure all users exist in your IdP first.

Domain-Based Enforcement

Require SSO only for specific email domains:

{
  "enforce_sso_domains": ["company.com"],
  "allow_password_domains": ["contractors.company.com"]
}

SCIM Provisioning

For Enterprise customers, we support SCIM 2.0 for automated user provisioning.

SCIM Endpoint

https://api.agentactionfirewall.com/scim/v2

Supported Operations

Resource	Operations
Users	Create, Read, Update, Delete, List
Groups	Create, Read, Update, Delete, List

Enabling SCIM

Go to Settings → SSO → SCIM
Click Enable SCIM
Copy the SCIM Endpoint URL and Bearer Token
Configure in your IdP

Security

Certificate Rotation

To rotate your IdP certificate:

Upload new certificate to AAF (keeps old one active)
Update certificate in IdP
Test SSO with new certificate
Remove old certificate from AAF

Session Settings

Configure SSO session behavior:

Setting	Default	Description
Session duration	8 hours	Time before re-auth required
Idle timeout	30 minutes	Inactivity logout
Force re-auth	Off	Require IdP auth on each login

Audit Logging

All SSO events are logged:

Event	Description
`sso.login.success`	User authenticated via SSO
`sso.login.failed`	SSO authentication failed
`sso.user.provisioned`	JIT user created
`sso.config.updated`	SSO settings changed

IdP-Specific Guides

Okta

In Okta Admin: Applications → Create App Integration → SAML 2.0
Configure settings:
- Single sign-on URL: https://auth.agentactionfirewall.com/saml/acs
- Audience URI: https://agentactionfirewall.com/saml/sp
- Name ID format: EmailAddress
Add attribute statements: email → user.email, firstName → user.firstName, lastName → user.lastName
Assign users or groups to the application
Go to the Sign On tab → View SAML setup instructions → download IdP metadata

Azure AD

Azure AD → Enterprise Applications → New Application → Create your own
Configure SSO:
- Identifier: https://agentactionfirewall.com/saml/sp
- Reply URL: https://auth.agentactionfirewall.com/saml/acs
Configure claims: Unique User Identifier → user.mail, email → user.mail, firstName → user.givenname, lastName → user.surname
Download Federation Metadata XML

Google Workspace

Admin Console → Apps → Web and mobile apps → Add custom SAML app
Configure settings:
- ACS URL: https://auth.agentactionfirewall.com/saml/acs
- Entity ID: https://agentactionfirewall.com/saml/sp
- Name ID: Basic Information, Primary email
Map firstName and lastName to user attributes
Turn on access for relevant organizational units

Troubleshooting

SSO login fails with "Invalid SAML response"

Verify ACS URL is exactly correct (no trailing slash)
Check certificate hasn't expired
Ensure NameID is user's email address
Verify clock skew is less than 5 minutes

User not provisioned on first login

Check JIT provisioning is enabled
Verify user's email domain is verified
Ensure require_domain_match settings are correct
Check IdP is sending required attributes

Role not assigned correctly

Verify IdP is sending groups attribute
Check role mapping configuration
Ensure group names match exactly (case-sensitive)
Check group sync mode (additive vs exclusive)

Cannot log in after enabling required SSO

Verify your user exists in IdP
Check email matches between IdP and AAF
Contact AAF support to temporarily disable enforcement
Use emergency bypass URL if provided

Emergency Access

Bypass URL

Enterprise customers receive an emergency bypass URL:

https://agentactionfirewall.com/login?bypass_sso=true&token=<emergency_token>

This allows login with password when IdP is unavailable.

Recovery Contacts

Designate recovery contacts who can disable SSO enforcement:

Go to Settings → SSO → Recovery
Add recovery email addresses
These users can disable SSO via email verification