This guide describes how to configure single sign-on (SSO) for your organization in QoderWork CN and Qoder CN CLI Enterprise Standard, supporting both SAML 2.0 and OIDC protocols.
Overview
Single sign-on (SSO) lets your organization's members authenticate with your corporate identity provider (IdP) without needing separate Qoder credentials.
SAML 2.0: A mature, XML-based standard for enterprise authentication, widely used by IdPs such as Okta, Microsoft Entra ID (formerly Azure AD), OneLogin, and Alibaba Cloud IDaaS.
OIDC (OpenID Connect): A modern identity protocol built on OAuth 2.0. It offers automatic endpoint discovery via a discovery URL. Typical providers include Okta, Microsoft Entra ID, Google Workspace, Auth0, Authing, and Alibaba Cloud RAM.
Benefits of SSO
Enhanced security: Centralize authentication through your corporate identity provider.
Improved user experience: Access all enterprise applications with a single set of credentials.
Simplified user management: Automatically create accounts and add users to your organization upon their first sign-in from a verified domain.
Choosing a protocol
Protocol | Use case |
SAML | Your IdP only supports SAML; you require IdP-initiated SSO; you have an existing SAML-based enterprise authentication system. |
OIDC | Your IdP supports OIDC or OAuth 2.0; you want to automatically discover endpoints using a discovery URL; you prefer a lightweight, JSON-based integration method. |
An organization can have only one SSO protocol enabled at a time. To switch protocols, you must disable the current configuration before creating a new one.
Prerequisites
Before you begin, ensure you have the following:
Administrator permissions: You have administrator permissions within your organization.
Identity provider permissions: You have permission to create and configure applications in your organization's IdP.
DNS access: You have permission to add a TXT record to your organization's email domain for verification.
Configuration process
The SSO configuration process includes the following steps for both SAML and OIDC:
Step 1: Verify your email domain
Before configuring SSO, you must verify ownership of your company's email domain. This ensures that only users with an email address from a verified domain can sign in through your organization's SSO. For instructions, see Domain verification.
Step 2: Create an SSO configuration
As an administrator, go to Organization Settings > Security & Identity.
Select SAML Settings or OIDC Settings, depending on your IdP.
SAML
Create a SAML configuration for your organization. The system automatically generates the SP certificate and private key. After initialization, Qoder provides the information needed to configure your identity provider (IdP):
SP Entity ID
SP Metadata URL
SP ACS (Assertion Consumer Service) URL
SP Certificate and Private Key
Example SP information:
Field | Example value |
SP Entity ID |
|
SP Metadata URL |
|
SP ACS URL |
|
OIDC
Create an OIDC configuration for your organization. The system automatically generates a Redirect URI and a Login URL, which you will need when you register the OAuth 2.0/OIDC application in your IdP. Example SP information:
Field | Example value |
Redirect URI |
|
Login URL |
|
Go to your IdP's console to create an OAuth 2.0/OIDC application. Add the Redirect URI to the application's list of allowed redirect URIs. After creating the application, your IdP will issue a client ID and a client secret, which you will use in Step 3.
Step 3: Configure IdP
SAML
You can configure your SAML IdP using one of the following two methods:
Method A: Automatic configuration (recommended)
If your IdP provides a metadata URL, use this method for automatic configuration:
On the SAML Settings page, find the Identity Provider Metadata Configuration section.
Select the Import from URL configuration mode.
Enter your IdP metadata URL (for example,
https://your-idp.example.com/app/metadata).Click Save.
The system automatically retrieves and parses the following information:
IDP Entity ID
SSO URL
Signing certificate
Method B: Manual configuration
If your IdP does not provide a metadata URL, configure the settings manually:
On the SAML Settings page, select the Manual Configuration mode.
Fill in the following fields:
IdP Entity ID: The entity identifier of your identity provider.
IdP SSO URL: The SSO sign-in endpoint URL.
IdP Public Certificate: The PEM-formatted signing certificate (optional, but recommended).
Click Save.
OIDC
You can configure your OIDC IdP using one of the following two methods:
Method A: Auto-discovery (recommended)
If your IdP complies with the OpenID Connect Discovery specification (meaning it exposes a /.well-known/openid-configuration endpoint), use this method:
On the OIDC Settings page, select the Issuer URL Auto-Discovery configuration mode.
Fill in the following fields:
Issuer URL: The issuer address of your IdP (for example,
https://login.company.com,https://oauth.aliyun.com, orhttps://your-tenant.authing.cn/oidc).Client ID: The client ID issued to the Qoder application by your IdP.
Client Secret: The client secret issued to the Qoder application by your IdP.
Scopes: (Optional) The permission scopes to request. The default includes
openid. We recommend usingopenid email profile.
Click Save.
The system automatically retrieves and parses the following from {issuer URL}/.well-known/openid-configuration:
Authorization Endpoint
Token Endpoint
UserInfo Endpoint
JWKS URL (for validating ID token signatures)
Supported signing algorithms
Method B: Manual configuration
If your IdP does not support discovery, fill in the following details manually:
Issuer URL, Client ID, Client Secret, Scopes
JWKS URL: The JSON Web Key Set URL, used to validate ID token signatures.
End Session URL: (Optional) The IdP's session end endpoint to redirect to upon logout.
The openid scope is mandatory for the OIDC protocol. If not provided, the system adds it automatically.
Step 4: Map attributes
SAML
Configure the mapping between SAML attributes and system fields:
Attribute mapping
If your IdP provides a metadata URL, use this method for automatic configuration:
On the SAML Settings page, scroll to the Attribute Mapping section.
Configure the mapping between SAML attributes from your IdP and Qoder user fields:
Enter your IDP metadata URL (for example,
https://your-idp.example.com/app/metadata).Click Save.
Method B: Manual Configuration
OIDC
On the OIDC Settings page, scroll to the Attribute Mapping section.
Configure the mapping between claims in the OIDC UserInfo and system fields:
Email Claim: The name of the claim for the user's email, typically
email. (Required)Name Claim: The name of the claim for the user's display name, typically
nameornickname.OpenID Claim: The unique identifier claim for the user, typically
sub. Theemailcan also be used.
Click Save.
Email is required: The IdP's UserInfo response must contain a valid email address, or authentication will fail. Ensure you have granted the email scope to the Qoder application in your IdP configuration.
Step 5: Test configuration
Before enabling SSO, test the configuration to ensure all settings are correct:
On the SSO configuration page, click Test SSO.
The system runs a series of validation checks (for example, certificate/signature, metadata endpoints, discovery document, and attribute mapping).
Review the test results.
Step 6: Enable SSO
After the tests pass, you can enable SSO:
On the SSO configuration page, ensure that all validation checks have passed.
Turn on the Enable SSO toggle.
In the confirmation dialog, review the information and activate.
After activation:
The SSO status changes to Active.
Organization members can now sign in using SAML or OIDC SSO.
After entering their email on the sign-in page, users from a verified domain are automatically redirected to your organization's SSO.
After enabling SSO, the administrator who configured it should not sign out. Instead, test the sign-in process using a different account from a verified domain. This precaution ensures an administrator can still access the settings if troubleshooting is needed.