Tenant authentication

Tenant SSO and Identity Discovery

Dashboard tenant users sign in with one calm first step: enter an email address. Attesto then selects the correct password, community identity, organization SSO, invite, or signup path without showing an enterprise provider wall. Configured community providers may also appear as convenience buttons below the email-first form, never above it, and never mixed with tenant enterprise SSO choices.

Scope

This page covers main platform users on dashboard.attesto.eu. Marketplace developer accounts, auditor access, and internal staff access are separate identity surfaces. A marketplace developer account cannot be used to enter the tenant dashboard unless the same person is also invited as a tenant user.

Email discovery

The login page starts with the email field. The backend returns the recommended next step and, for a brand-new community signup, may also return safe availableProviders options:

Password fallback for existing password users.
Community identity when an existing user is linked to Google, GitHub, GitLab, or LinkedIn.
Organization SSO when the email domain matches an enabled tenant provider.
Invite activation when an invite token is present.
Signup or trial onboarding for unknown emails.

User flow

Enterprise SSO users can also start at auth.attesto.eu. That page only discovers tenant Entra/OIDC/SAML routes and sends non-SSO users back to the regular dashboard login.

A tenant user does not choose between seven providers. They enter their work email, review the discovered route, and continue with the method configured for that address. If the tenant domain is controlled by organization SSO, the button says “Continue with your organization” or the configured provider name. If password fallback is still allowed, existing password users can continue with password.

Open dashboard.attesto.eu/login.
Enter the tenant email address.
Continue with the discovered password, community identity, invite, signup, or organization SSO path.
Return to the dashboard with the existing Attesto tenant session, CSRF protection, and role checks intact.

Tenant owner setup

Tenant owners configure enterprise identity providers in Settings → Identity Providers. The wizard stores secrets server-side, shows only masked status back to the browser, and generates callback or metadata values for the external provider. Provider setup should be tested with an invited user before SSO is enforced for a tenant domain.

Provider	Use when	Attesto needs	Provider needs
Microsoft Entra ID	Enterprise workforce login	Domain, issuer, client id, encrypted client secret	Redirect URI and allowed users/groups
Generic OIDC	Okta, Keycloak, Ping, Auth0, ForgeRock, or custom OIDC	Domain, issuer URL, client id, encrypted client secret, scopes	Redirect URI and verified email claim
Generic SAML	Legacy enterprise SSO or SAML-only IdPs	Domain, IdP entity id, SSO URL, signing certificate	SP Entity ID, ACS URL, signed response or assertion

Providers

Community providers support Google, GitHub, GitLab, and LinkedIn. Enterprise providers support Microsoft Entra ID, generic OIDC, and generic SAML. Enterprise provider choices are not displayed as a public button wall; discovery recommends the matching tenant path. Configured community providers can be shown below the email form as a self-service shortcut. The catalog includes a configured flag, so unconfigured providers are visible but inert until real OAuth credentials exist.

Community providers are useful for evaluators, developers, investors, and consultants. Enterprise providers are tenant scoped: the domain match determines whether a user should be routed to organization SSO. Marketplace developer accounts remain separate from tenant dashboard identities.

Microsoft Entra ID

Use Microsoft Entra ID when a customer wants Attesto dashboard access to follow their Microsoft workforce identity, Conditional Access, MFA, and account lifecycle policies. In Entra, create a web application registration for Attesto, add the Attesto redirect URI from the dashboard wizard, and issue a client secret. In Attesto, choose Entra, enter the tenant domain, issuer/authority URL, client id, and client secret.

The redirect type is web/confidential, not public SPA.
Scopes should include OpenID Connect identity claims such as openid, email, and profile.
Attesto requires a verified email and checks issuer, audience, nonce, state, and PKCE.
Use Entra-side Conditional Access and MFA policies for enterprise assurance.

Generic OIDC

Generic OIDC covers Okta, Keycloak, Ping, Auth0, ForgeRock, and other standards-compliant identity providers. The provider must expose an issuer with discovery metadata and signing keys, and must return a stable subject plus verified email claim. Attesto discovers authorization, token, userinfo, and JWKS endpoints from the issuer where supported.

Create a confidential/web OIDC app in the identity provider.
Paste the dashboard-generated callback URL into the provider.
Configure allowed scopes, usually openid email profile.
Save issuer URL, client id, and client secret in Attesto tenant settings.
Run one real login with an invited user before enabling strict tenant policy.

Generic SAML

Generic SAML supports enterprise environments that rely on SAML 2.0 rather than OIDC. Attesto exposes SP metadata and ACS URLs from the tenant settings wizard. The external IdP must sign either the response or assertion and must send a stable subject plus email attribute for the invited tenant user.

Copy Attesto SP metadata or manually enter Entity ID and ACS URL in the IdP.
Copy IdP Entity ID, SSO URL, and signing certificate back into Attesto.
Keep assertions short-lived and include audience, recipient, and InResponseTo values.
Reject unsigned, expired, replayed, wrong-audience, or wrong-recipient assertions.

Enterprise SSO

Enterprise SSO is tenant scoped. A provider configuration binds one tenant domain to one enabled Entra, OIDC, or SAML provider. During discovery, the invite token and existing identity links are evaluated first, then tenant domain provider rules, then password or signup fallback. This prevents random provider choice and keeps the login screen simple.

Tenant owners configure enterprise SSO in dashboard settings under Identity Providers. OIDC and Entra providers use issuer metadata, client id, encrypted client secret, strict redirect allowlists, PKCE, state, nonce, issuer, audience, and verified-email checks. SAML providers use signed responses or assertions, audience and recipient validation, InResponseTo replay protection, and short clock skew.

The dashboard shows generated callback values so tenant owners can copy them into the external identity provider:

OAuth/OIDC callback:
https://auth.attesto.eu/v1/auth/external/callback/{provider_id}

SAML ACS:
https://auth.attesto.eu/v1/auth/saml/acs/{provider_id}

SAML metadata:
https://auth.attesto.eu/v1/auth/saml/metadata/{provider_id}

Public docs intentionally do not document internal staff admin procedures. This page is for tenant-owned identity configuration and developer integration with the tenant authentication endpoints.

Invites

Invite acceptance uses the same discovery model. If the invite email belongs to a tenant domain with required organization SSO, the invite can continue through that provider. If no provider is required, the user can still set a password through the existing invite path.

API contract

These endpoints are dashboard tenant-auth endpoints. Frontend clients never receive provider secrets.

POST /v1/auth/discover
GET /v1/auth/providers
POST /v1/auth/external/start
GET /v1/auth/external/callback/{provider_id}
POST /v1/auth/saml/acs/{provider_id}
GET /v1/auth/saml/metadata/{provider_id}

{
  "email": "user@company.com",
  "returnTo": "/"
}

A discovery response tells the frontend which single next step to render. Provider secrets, client secrets, SAML certificates, tokens, and assertions are never returned to the browser.

{
  "email": "user@company.com",
  "action": "organization_sso",
  "buttonLabel": "Continue with your organization",
  "providerId": "idp_...",
  "providerType": "oidc",
  "allowPassword": false,
  "allowSignup": false,
  "availableProviders": []
}

GET /v1/auth/providers returns only non-secret community provider labels and configuration state for the buttons below the email form. POST /v1/auth/external/start may be called with only providerId for global community signup, but tenant enterprise providers always require an email or invite-backed discovery result.

Security

External login is allowed only when the provider returns a verified email and the identity can be linked to an existing tenant user, accepted invite, or explicit signup/trial creation. Provider secrets, SAML private settings, tokens, assertions, and raw callbacks stay server-side. Audit events record discovery, provider start, success, failure, provider changes, and identity linking without logging raw secrets.

Control	What Attesto enforces
OAuth/OIDC state	Short-lived state, nonce, and PKCE records are single-use.
OIDC token validation	Issuer, audience, JWKS signature, nonce, and verified email are checked.
SAML replay protection	InResponseTo, audience, recipient, signature, and clock skew are validated.
Identity linking	Only verified emails may link to existing users, accepted invites, or explicit signup/trial creation.
Secret handling	Provider secrets are encrypted server-side and masked in tenant settings.
Surface separation	Tenant dashboard users, marketplace developer accounts, auditors, and internal staff auth remain separate surfaces.

Troubleshooting

Symptom	Likely cause	Fix
User is routed to password instead of SSO	Domain provider is disabled, domain mismatch, or existing password identity has precedence.	Check tenant domain, provider enabled state, and invite email spelling.
OIDC callback fails	Redirect URI, issuer, audience, nonce, or verified email claim does not match.	Copy the generated callback exactly and verify the issuer/client configuration.
SAML assertion rejected	Unsigned, expired, replayed, wrong audience, wrong recipient, or missing email attribute.	Enable signed responses/assertions and compare Entity ID, ACS URL, and attributes.
Community provider button is disabled	The provider is listed in the catalog but `configured` is false.	Add the real OAuth client id/secret before enabling that path for users.
User authenticates but cannot enter tenant	The external identity is not linked to an invited or existing tenant user.	Invite the user first or use the explicit signup/trial path for a new tenant.

Rollout checklist

Configure the provider domain and issuer values in tenant settings.
Copy the generated callback, ACS, or metadata URL into the external provider.
Invite a tenant user with that domain and complete one real login.
Confirm that the external provider returns the expected verified email claim or SAML email attribute.
Verify that password fallback still works for users who need it.
Document tenant-side MFA and access policy ownership with the customer.
Check audit events and tenant session behavior before enforcing SSO policy.