Skip to main content

Single Sign-On (SSO)

Single Sign-On enables your team to access Crew using your organization’s identity provider. SSO improves security, simplifies user management, and provides a seamless login experience.
SSO is available on Enterprise plans. Contact sales@usecrew.ai to enable.

Supported Providers

SAML 2.0

ProviderStatus
OktaSupported
Azure ADSupported
Google WorkspaceSupported
OneLoginSupported
Ping IdentitySupported
Custom SAMLSupported

OIDC

ProviderStatus
OktaSupported
Azure ADSupported
Auth0Supported
GoogleSupported

Setup

SAML Configuration

1

Get Crew's SAML Details

Navigate to SettingsSecuritySSOCopy:
  • ACS URL: https://api.usecrew.ai/auth/saml/callback
  • Entity ID: https://api.usecrew.ai/saml/metadata
  • Metadata URL: https://api.usecrew.ai/saml/metadata.xml
2

Configure Your IdP

In your identity provider:
  • Create a new SAML application
  • Enter Crew’s ACS URL and Entity ID
  • Configure attribute mappings (see below)
3

Upload IdP Metadata

In Crew:
  • Upload your IdP’s metadata XML, or
  • Enter IdP SSO URL and certificate manually
4

Test Connection

Use the Test SSO button to verify configuration
5

Enable for Users

Choose enforcement mode and enable SSO

Required Attributes

AttributeSAML NameRequired
Emailemail or NameIDYes
First NamefirstName or givenNameYes
Last NamelastName or surnameYes
GroupsgroupsOptional

Attribute Mapping

Configure in Crew: 
{
  "attribute_mapping": {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "firstName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "lastName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
    "groups": "http://schemas.xmlsoap.org/claims/Group"
  }
}

OIDC Configuration

1

Create OIDC Application

In your identity provider, create an OIDC application
2

Configure Redirect URI

Set redirect URI to: https://api.usecrew.ai/auth/oidc/callback
3

Enter Details in Crew

  • Client ID
  • Client Secret
  • Issuer URL
  • Scopes (openid, profile, email)
4

Test and Enable

Test the connection and enable for users

User Provisioning

Just-in-Time (JIT) Provisioning

Users are automatically created on first SSO login: 
{
  "jit_provisioning": {
    "enabled": true,
    "default_role": "member",
    "auto_assign_workspace": true
  }
}

SCIM Provisioning

For automated user lifecycle management: 
{
  "scim": {
    "enabled": true,
    "endpoint": "https://api.usecrew.ai/scim/v2",
    "token": "scim_token_xxxxx"
  }
}
SCIM supports:
  • User creation
  • User updates
  • User deactivation
  • Group synchronization

Group Mapping

Map IdP groups to Crew roles: 
{
  "group_mapping": {
    "crew-admins": "admin",
    "crew-members": "member",
    "crew-viewers": "viewer"
  }
}

Enforcement Modes

Optional SSO

Users can choose SSO or password: 
{
  "sso_enforcement": "optional"
}

Required SSO

All users must use SSO: 
{
  "sso_enforcement": "required"
}
Password login is disabled when SSO is required.

Domain-Based Enforcement

Require SSO for specific email domains: 
{
  "sso_enforcement": "domain",
  "sso_domains": ["yourcompany.com", "subsidiary.com"]
}

Session Management

Session Duration

Configure SSO session length: 
{
  "session": {
    "max_duration_hours": 24,
    "idle_timeout_hours": 4,
    "require_reauth_for_sensitive": true
  }
}

Single Logout (SLO)

Enable single logout to end sessions across all applications: 
{
  "single_logout": {
    "enabled": true,
    "logout_url": "https://api.usecrew.ai/auth/slo"
  }
}

Security Features

MFA via IdP

When SSO is enabled, MFA is enforced through your identity provider.

Session Controls

  • Force re-authentication for sensitive actions
  • Configurable session timeouts
  • Device tracking and management

IP Restrictions

Combine SSO with IP allowlisting: 
{
  "access_restrictions": {
    "allowed_ips": ["203.0.113.0/24"],
    "sso_bypass_allowed": false
  }
}

Provider-Specific Guides

Okta

  1. Create new SAML 2.0 application
  2. Set Single Sign On URL to Crew’s ACS URL
  3. Set Audience URI to Crew’s Entity ID
  4. Configure attribute statements:
    • email → user.email
    • firstName → user.firstName
    • lastName → user.lastName
  5. Download metadata XML
  6. Upload to Crew

Azure AD

  1. Create Enterprise Application
  2. Select SAML single sign-on
  3. Configure Basic SAML:
    • Identifier: Crew Entity ID
    • Reply URL: Crew ACS URL
  4. Configure Attributes & Claims:
    • Add email, givenname, surname claims
  5. Download Federation Metadata XML
  6. Upload to Crew

Google Workspace

  1. Go to Admin Console → Apps → SAML Apps
  2. Add custom SAML app
  3. Configure Service Provider Details:
    • ACS URL: Crew’s ACS URL
    • Entity ID: Crew’s Entity ID
  4. Map attributes:
    • Primary email → email
    • First name → firstName
    • Last name → lastName
  5. Download IdP metadata
  6. Upload to Crew

Troubleshooting

Common Issues

IssueCauseSolution
”Invalid SAML response”Certificate mismatchRe-upload IdP certificate
”User not found”Email mismatchVerify email attribute mapping
”Access denied”Group not mappedUpdate group mappings
Redirect loopIncorrect ACS URLVerify ACS URL in IdP

Debug Mode

Enable debug logging for troubleshooting: 
{
  "sso_debug": {
    "enabled": true,
    "log_assertions": true
  }
}
Disable debug mode after troubleshooting. It may log sensitive data.

Testing

Use the SSO test tool:
  1. Go to SettingsSecuritySSO
  2. Click Test SSO Login
  3. Review the test results for errors

Audit Logging

SSO events are logged:
EventDescription
sso.login.successSuccessful SSO login
sso.login.failureFailed SSO attempt
sso.logoutSSO logout
sso.config.updatedSSO settings changed
sso.user.provisionedJIT user created

Best Practices

Test SSO with a few users before requiring it for everyone.
Maintain one admin account with password login for emergencies.
Automate role assignment through IdP groups.
Set appropriate session durations based on security requirements.
Automate user lifecycle with SCIM provisioning.

Next Steps