Documentation Index
Fetch the complete documentation index at: https://www.activepieces.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Single Sign-On (SSO) allows your team to authenticate using your organization’s existing identity provider, eliminating the need for separate Activepieces credentials. This improves security, simplifies user management, and provides a seamless login experience.Prerequisites
Before configuring SSO, ensure you have:- Admin access to your Activepieces platform
- Admin access to your identity provider (Google, GitHub, Okta, or JumpCloud)
- The redirect URL from your Activepieces SSO configuration screen
Accessing SSO Configuration
Navigate to Platform Settings → SSO in your Activepieces admin dashboard to access the SSO configuration screen.
Enforcing SSO
You can enforce SSO by specifying your organization’s email domain. When SSO enforcement is enabled:- Users with matching email domains must authenticate through the SSO provider
- Email/password login can be disabled for enhanced security
- All authentication is routed through your designated identity provider
SSO Domain
The SSO Domain lets you map a public domain (e.g.acme.com) to your platform’s SAML provider so users can discover the right IdP from the shared sign-in page.
You can set it in the SAML configuration dialog (Platform Settings → SSO → SAML 2.0 → Enable), in the SSO Domain field. Leave it empty to disable domain-based discovery.
How it works on Cloud
On the cloud sign-in page, clicking Sign in with SAML opens a dialog asking the user for their organization’s domain. When they enter acme.com, the platform whose SSO Domain matches is looked up and the user is redirected to that platform’s identity provider.
Constraints
- Must be a valid public hostname containing a dot (e.g.
acme.com, notacme). - Each domain can be claimed by only one platform on Cloud.
On self-hosted Enterprise instances the SAML button on the sign-in page redirects directly to the configured identity provider, so the SSO Domain field is effectively ignored at login. You can still leave it empty.
Supported SSO Providers
Activepieces supports multiple SSO providers to integrate with your existing identity management system.Access Google Cloud Console
Go to the Google Cloud Console and select your project (or create a new one).
Create OAuth2 Credentials
Navigate to APIs & Services → Credentials → Create Credentials → OAuth client ID.Select Web application as the application type.
Configure Redirect URI
Copy the Redirect URL from the Activepieces SSO configuration screen and add it to the Authorized redirect URIs in Google Cloud Console.
Copy Credentials to Activepieces
Copy the Client ID and Client Secret from Google and paste them into the corresponding fields in Activepieces.
GitHub
Access GitHub Developer Settings
Go to GitHub Developer Settings → OAuth Apps → New OAuth App.
Register New Application
Fill in the application details:
- Application name: Choose a recognizable name (e.g., “Activepieces SSO”)
- Homepage URL: Enter your Activepieces instance URL
Configure Authorization Callback
Copy the Redirect URL from the Activepieces SSO configuration screen and paste it into the Authorization callback URL field.
Generate Client Secret
After registration, click Generate a new client secret and copy it immediately (it won’t be shown again).
Copy Credentials to Activepieces
Copy the Client ID and Client Secret and paste them into the corresponding fields in Activepieces.
SAML with Okta
Create New Application in Okta
Go to the Okta Admin Portal → Applications → Create App Integration.
Configure General Settings
Enter an App name (e.g., “Activepieces”) and optionally upload a logo. Click Next.
Configure SAML Settings
- Single sign-on URL: Copy the SSO URL from the Activepieces configuration screen
- Audience URI (SP Entity ID): Enter
Activepieces - Name ID format: Select
EmailAddress
Add Attribute Statements
Add the following attribute mappings:
| Name | Value |
|---|---|
firstName | user.firstName |
lastName | user.lastName |
email | user.email |
Export IdP Metadata
Go to the Sign On tab → View SAML setup instructions or View IdP metadata. Copy the Identity Provider metadata XML.
Configure Activepieces
- Paste the IdP Metadata XML into the corresponding field
- Copy the X.509 Certificate from Okta and paste it into the Signing Key field
- (Optional, Cloud) Set the SSO Domain to your organization’s public domain (e.g.
acme.com) so users can sign in by entering it on the cloud sign-in page. See SSO Domain above.
SAML with Microsoft Entra ID (Azure AD)
Create an Enterprise Application
Go to the Azure Portal → Microsoft Entra ID → Enterprise applications → New application → Create your own application.Name it (e.g., “Activepieces”) and select Integrate any other application you don’t find in the gallery (Non-gallery).
Set Identifier and Reply URL
Edit Basic SAML Configuration:
- Identifier (Entity ID):
Activepieces - Reply URL (Assertion Consumer Service URL): paste the SSO URL from the Activepieces configuration screen
Configure User Attributes & Claims
Edit Attributes & Claims and add these additional claims (leave Namespace empty):
| Claim name | Source attribute |
|---|---|
firstName | user.givenname |
lastName | user.surname |
email | user.mail |
Copy the Federation Metadata
In the SAML Certificates section, copy the App Federation Metadata Url.You can paste this URL directly into the IdP Metadata field in Activepieces — Activepieces will fetch the metadata XML automatically. Alternatively, open the URL in a browser, save the XML, and paste its contents.
Copy the Signing Certificate
Download the Certificate (Base64) from the SAML Certificates section. Open the file and copy its contents (including the
-----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- markers) into the Signing Key field in Activepieces.Assign Users
Go to Users and groups in the application and assign the users or groups that should be allowed to sign in.
SAML with JumpCloud
Create New Application in JumpCloud
Go to the JumpCloud Admin Portal → SSO Applications → Add New Application → Custom SAML App.
Configure ACS URL
Copy the ACS URL from the Activepieces configuration screen and paste it into the ACS URLs field in JumpCloud.
Add User Attributes
Configure the following attribute mappings:
| Service Provider Attribute | JumpCloud Attribute |
|---|---|
firstName | firstname |
lastName | lastname |
email | email |
Enable HTTP-Redirect Binding
JumpCloud does not include the 
HTTP-Redirect binding by default. You must enable this option.
Configure IdP Metadata in Activepieces
Paste the exported metadata XML into the IdP Metadata field in Activepieces.
Configure Signing Certificate
Locate the Paste this into the Signing Key field.
<ds:X509Certificate> element in the IdP metadata and extract its value. Format it as a PEM certificate:Assign Users to Application
In JumpCloud, assign the application to the appropriate users or user groups.
Troubleshooting
Users cannot log in after SSO configuration
Users cannot log in after SSO configuration
- Verify the redirect URL is correctly configured in your identity provider
- Ensure users are assigned to the application in your identity provider
- Check that email domains match the SSO enforcement settings
SAML authentication fails
SAML authentication fails
- Confirm the IdP metadata is complete and correctly formatted
- If you pasted a metadata URL, make sure it is publicly reachable (Activepieces fetches it server-side)
- Verify the signing certificate is properly formatted with BEGIN/END markers
- Ensure all required attributes (firstName, lastName, email) are mapped
HTTP-Redirect binding error (JumpCloud)
HTTP-Redirect binding error (JumpCloud)
- Enable the HTTP-Redirect binding option in JumpCloud
- Re-export the metadata after enabling the binding
- Verify the binding appears in the exported XML