Back to home
Security

Single sign-on (SAML)

Federate DineOS to your identity provider on the Enterprise plan.

SAML SSO is available on the Enterprise plan. Once configured, your team signs in through your identity provider (Okta, Microsoft Entra, Google Workspace, JumpCloud and similar). Local passwords are disabled for the workspace and account provisioning becomes the IdP's responsibility.

IdP configuration

  1. 1

    Create a SAML application in your IdP

    Use a generic SAML 2.0 template. Set the audience URI to https://app.dineos.com/saml and the ACS URL to https://app.dineos.com/saml/{workspace}/acs where {workspace} is your workspace ID.
  2. 2

    Map attributes

    Required claims: email, given_name, family_name. Optional: groups for role mapping.
  3. 3

    Upload metadata in DineOS

    From Settings → Security → SSO, paste the IdP's metadata XML or the metadata URL. DineOS validates the certificate and signing algorithms before accepting it.
  4. 4

    Map groups to roles

    Optionally, map IdP groups to DineOS roles. For example, the dineos-managers group might map to the Manager role. Users without a matching group land on a configurable default role.
  5. 5

    Enforce SSO

    Once you have signed in successfully via SSO, toggle Enforce SSO. From this point on, password sign-in is disabled for everyone except a configured break-glass Owner account.
Keep a break-glass account
Always keep at least one Owner account that can sign in without SSO, with a strong password and 2FA. If your IdP is unreachable, this is how you keep access to the workspace.