Docs/Single Sign-On
Enterprise Feature

Single Sign-On (SSO)

Enable secure, centralized authentication for your team using your existing identity provider.

Supported Identity Providers

🔐

Okta

SAML 2.0 / OIDC

☁️

Azure AD

SAML 2.0 / OIDC

🔵

Google Workspace

SAML 2.0 / OIDC

🔑

OneLogin

SAML 2.0

🛡️

Auth0

SAML 2.0 / OIDC

⚙️

Custom SAML

SAML 2.0

SAML 2.0 Configuration

Step 1: Get Chatmefy SAML Details

Use these values when configuring Chatmefy in your identity provider:

Entity ID / Issuerhttps://app.chatmefy.com/saml/metadata
ACS URLhttps://app.chatmefy.com/saml/acs
SLO URLhttps://app.chatmefy.com/saml/slo
Name ID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Step 2: Configure in Chatmefy

  1. 1.Go to Settings → Security → Single Sign-On
  2. 2.Select 'SAML 2.0' as the protocol
  3. 3.Enter your IdP's metadata URL or upload the metadata XML
  4. 4.Map user attributes (email, first_name, last_name)
  5. 5.Enable SSO and test with a user account

OpenID Connect Configuration

Required Configuration

Client IDFrom your identity provider
Client SecretFrom your identity provider
Issuer URLe.g., https://login.microsoftonline.com/{tenant}/v2.0
Redirect URIhttps://app.chatmefy.com/auth/callback
Required Scopes
openid profile email

Attribute Mapping

Map identity provider attributes to Chatmefy user fields:

Chatmefy FieldCommon SAML AttributeOIDC Claim
email (required)NameID or emailemail
first_namegivenNamegiven_name
last_namesurnamefamily_name
departmentdepartmentcustom:department
rolegroupsgroups

User Provisioning

Just-in-Time (JIT) Provisioning

Users are automatically created on first SSO login.

No manual user creation required
Inherits attributes from IdP
Assigns default role on creation

SCIM Provisioning

Sync users automatically from your identity provider.

Automatic user creation/deletion
Group sync for role assignment
Real-time updates from IdP

Security Settings

Enforce SSORequire all users to authenticate via SSO (disables password login)
Domain RestrictionOnly allow users from specific email domains
Session DurationHow long SSO sessions remain valid before re-authentication
Admin BypassAllow admin accounts to use password as backup

Troubleshooting

"Invalid SAML Response" error

Ensure clock sync between IdP and Chatmefy. Check certificate expiration.

User attributes not mapping

Verify attribute names in IdP match Chatmefy expected names exactly.

"User not found" after SSO

Enable JIT provisioning or create user manually before first login.

Redirect loop during login

Check ACS URL configuration and clear browser cookies.

Enterprise Security

Enterprise FeaturesAPI Authentication