Single Sign-On (SSO)
Let your team sign in to Rollgate using your company identity provider. Supports SAML 2.0, OIDC, and templated connectors for the major IdPs.
What's supported
- Protocols: SAML 2.0, OpenID Connect (OIDC)
- Templated connectors: Okta, Azure AD / Microsoft Entra, Google Workspace, OneLogin, JumpCloud, Auth0, ADFS, PingIdentity
- Generic: any SAML 2.0 or OIDC-compliant IdP
- Just-in-time provisioning: users are created automatically on first sign-in
- Multi-domain: one SSO connection can cover multiple email domains (e.g.
acme.com,acme.co.uk) - Break-glass: organization owners keep email/password access so you're never locked out
SCIM user provisioning (auto-sync users and groups from your directory) is on the roadmap for phase 2.
How it works
- Your Rollgate organization admin enables SSO and configures the email domains.
- We set up an Identity Provider connection in our SSO broker using the metadata you provide from your IdP.
- Your users go to the Rollgate login page, click Sign in with SSO, and enter their email. The domain is matched against your connection and they're redirected to your IdP.
- After authenticating with your IdP, users land back on Rollgate with a session — same as if they'd logged in with email or OAuth.
Availability
| Plan | SSO | Notes |
|---|---|---|
| Free | — | Email/password + Google + GitHub OAuth |
| Starter | — | Email/password + OAuth |
| Pro | — | Email/password + OAuth |
| Growth | Included | SAML + OIDC, unlimited connections |
| Enterprise | Included | SAML + OIDC + priority onboarding + SCIM (phase 2) |
Setup guide
Setup takes about 15 minutes on your side. You can test the flow before flipping the switch.
1. Gather IdP metadata
From your IdP admin console, grab the metadata URL or download the XML. What you need depends on your IdP:
- Okta: in your admin console, create a new SAML 2.0 app and copy the Identity Provider metadata URL.
- Azure AD / Microsoft Entra: Enterprise Applications → New → Non-gallery. Under Single sign-on, choose SAML. Copy the App Federation Metadata Url.
- Google Workspace: Admin console → Apps → Web and mobile apps → Add custom SAML app. Copy SSO URL, Entity ID, and the x509 certificate.
- OneLogin / JumpCloud / Auth0: create a SAML or OIDC app per the vendor docs and provide us the metadata URL.
2. Give us the ACS URL
Configure these values in your IdP:
https://sso.rollgate.io/saml/v2/acshttps://sso.rollgate.iourn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressRequired attribute mappings: email, firstName, lastName.
3. Create the connection in Rollgate
In your Rollgate dashboard, go to Settings → Security → Single Sign-On. Click Add connection and:
- Paste the IdP metadata URL (or upload the XML).
- Add the email domain(s) you want to route through SSO.
- Click Test connection and sign in with a test user from your IdP.
- When the test succeeds, click Enable.
4. Tell your team
Users sign in at https://app.rollgate.io/login, click Sign in with SSO, and enter their work email. They'll be redirected to your IdP.
User lifecycle
New users
On first sign-in, Rollgate creates a user account using the email, name, and stable subject ID from your IdP. The user is automatically added to your organization as a member.
Existing users
If a user already has a Rollgate account with the same email, signing in via SSO links the account — they keep their existing settings, API keys, and flag history.
Removed users
Removing a user from your IdP prevents future sign-ins. Their existing session expires on JWT expiry (24 hours). To revoke immediately, remove them from your Rollgate organization as well — or use the Revoke sessions button in Settings → Security.
Break-glass access
If your IdP becomes unreachable, organization owners can always sign in with email/password, even when SSO is enabled. This prevents lockout in outage scenarios.
We recommend keeping at least two owners per organization with a verified email/password set, stored in your team password manager.
Security notes
- All OIDC tokens are verified against the IdP JWK set, refreshed automatically.
- SAML assertions are validated for signature, audience,
NotBefore/NotOnOrAfterconstraints, and subject stability. - Email claims must be marked verified by your IdP — unverified emails are rejected.
- The SSO flow is protected with a signed state token (5-minute TTL) to prevent CSRF and replay attacks.
- Our SSO broker runs in our own infrastructure (
sso.rollgate.io) — your IdP credentials never leave EU data residency (Hetzner Falkenstein region).
FAQ
Can I migrate existing users to SSO without forcing them to create new accounts?
Yes. When an existing user signs in via SSO for the first time, we match on email and link the accounts. All their data (API keys, flag history, preferences) is preserved.
Can we use multiple IdPs for the same organization?
Phase 1 supports one connection per organization. If you need multiple (e.g., merging two companies with different IdPs), contact us — we can accommodate via our enterprise-onboarding process.
What if our IdP only supports SAML, not OIDC?
Fully supported. Our SSO broker handles SAML natively and presents a consistent OIDC interface to the rest of Rollgate. You don't need OIDC support on your side.
Do you support SCIM for user provisioning?
SCIM is on the roadmap for phase 2 of SSO. In phase 1, users are created just-in-time on first sign-in. If you need SCIM now for an enterprise contract, contact us — Enterprise-plan customers can get early access.
How much does SSO cost?
SSO is included in the Growth and Enterprise plans — no per-connection fees, no cap on the number of users, no cap on the number of domains.
Where is your SSO broker hosted?
Zitadel self-hosted in our infrastructure at Hetzner Falkenstein (Germany / EU). No third-party managed service; data stays in EU.
Need help?
Email [email protected] with your IdP type (Okta / Azure / Google / other) and we'll guide you through the setup. Enterprise customers get a dedicated onboarding call.