Single Sign-On (SSO)
SAML 2.0 and OIDC enterprise authentication with automatic team synchronization.
Drok supports enterprise single sign-on via SAML 2.0 and OpenID Connect (OIDC). SSO integrates with your existing identity provider to centralize authentication and enforce organizational security policies.
Supported Providers
Drok SSO has been tested and documented with:
| Provider | Protocol | Status |
|---|---|---|
| Okta | SAML 2.0, OIDC | Fully supported |
| Azure AD (Entra ID) | SAML 2.0, OIDC | Fully supported |
| Google Workspace | SAML 2.0, OIDC | Fully supported |
| OneLogin | SAML 2.0 | Fully supported |
| PingFederate | SAML 2.0 | Fully supported |
| Auth0 | OIDC | Fully supported |
| Keycloak | SAML 2.0, OIDC | Fully supported |
| Any SAML 2.0 IdP | SAML 2.0 | Supported |
| Any OIDC Provider | OIDC | Supported |
SAML 2.0 Configuration
Drok Service Provider Details
Provide these values to your identity provider:
| Field | Value |
|---|---|
| Entity ID | https://drok.us/saml/metadata/{org} |
| ACS URL | https://drok.us/saml/acs/{org} |
| SLS URL | https://drok.us/saml/sls/{org} |
| Name ID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
Identity Provider Configuration
Navigate to Organization Settings > Authentication > SAML and provide:
- IdP SSO URL — Your identity provider's single sign-on URL
- IdP Entity ID — Your identity provider's entity ID
- IdP Certificate — The X.509 certificate for signature verification
Or configure via CLI:
drok org sso configure my-org \
--protocol saml \
--idp-sso-url "https://your-idp.com/sso/saml" \
--idp-entity-id "https://your-idp.com/entity" \
--idp-certificate /path/to/certificate.pemOIDC Configuration
drok org sso configure my-org \
--protocol oidc \
--issuer "https://your-idp.com" \
--client-id "your-client-id" \
--client-secret "your-client-secret"Discovery is automatic via the .well-known/openid-configuration endpoint.
Enforcement
Optional SSO
Members can authenticate via SSO or Drok credentials. This is the default during rollout.
Required SSO
Enforce SSO for all organization members:
drok org sso enforce my-org --require-ssoWhen SSO is required:
- All members must authenticate through the identity provider
- Password-based login is disabled for organization members
- Personal access tokens remain valid (they authenticate API access, not identity)
- Recovery codes are available for emergency access
Team Synchronization
Map identity provider groups to Drok teams:
drok org sso team-sync my-org \
--idp-group "Engineering" --drok-team "engineering" \
--idp-group "Backend" --drok-team "engineering/backend" \
--idp-group "Frontend" --drok-team "engineering/frontend"When team sync is enabled:
- Users are added to Drok teams based on their IdP group membership
- Users removed from an IdP group are removed from the corresponding Drok team
- Sync runs on every SSO login and can be triggered manually
User Provisioning
Just-in-Time (JIT) Provisioning
When a user authenticates via SSO for the first time, a Drok account is automatically created and added to the organization.
SCIM Provisioning
For automated user lifecycle management, Drok supports SCIM 2.0:
SCIM Base URL: https://drok.us/api/scim/v2/{org}SCIM enables:
- Automatic account creation when users are added in the IdP
- Automatic deactivation when users are removed in the IdP
- Profile synchronization (name, email, avatar)
- Group-to-team mapping
Audit
All SSO events are logged in the organization audit log:
- Login attempts (successful and failed)
- SSO configuration changes
- Team sync events
- User provisioning and deprovisioning