Configure SSO for all providers

Supported Identity Providers

SurePath AI supports both Open ID Connect or OIDC and SAML 2.0. Most major identity providers support one or both of these protocols including (but not limited to):

Microsoft Entra ID (formerly Azure AD)
- Entra has a dedicated SSO documented
Okta
Auth0
PingIdentity
OneLogin
WorkOS
Rippling

Authentication Protocols

SurePath AI supports both OIDC and SAML authentication protocols. While we recommend OIDC for its enhanced security features and simplified user experience, you may choose either protocol based on your organization's requirements.

Initial Configuration Steps

Navigate to https://admin.surepath.ai
Click on Organization in the left menu column
Select the Identity tab
In the Identity Providers form, click + ADD PROVIDER
In the Provider Name field, enter a name for the IdP or SSO provider being added
In the Provider Type drop-down, select the type of provider you are adding:
- OIDC
- SAML
- SAML - Metadata XML
- SAML - Metadata URL

OIDC Configuration

Information SurePath AI Provides

Authorization Callback URL
- Also known as Redirect URI, Reply URL, or Callback URL
- This URL must be entered in your IdP's configuration

Information Required from Your IdP

Client ID
- Also known as Application ID
Client Secret
- Also known as Application Secret or API Key
Issuer URL
- Also known as Authority URL, OpenID Provider URL, or Issuer Identifier

Required claims for OIDC

SurePath AI requires specific claims to be included in the ID token for successful authentication. The email claim is required for proper user authentication, although most IdPs include this claim by default. Additionally, the user's display name (either as a single claim or combined from first and last name claims) enables SurePath AI to add user name information to User Activity and Telemetry events that are created during GenAI use.

Admins must configure their IdP to include the following claims:

Email claim
- Standard claim name: email
- Also known as: mail, emailAddress, or preferred_username (depending on IdP)
Display name claim (option 1 - recommended)
- Standard claim name: name
- Also known as: displayName, display_name, preferred_username, or nickname (depending on IdP)
Display name claims (option 2 - alternative)
- If the display name claim is not available, configure both:
  - First name claim: given_name
    Also known as: givenName, firstName, or first_name (depending on IdP)
  - Last name claim: family_name
    Also known as: surname, lastName, last_name, or sn (depending on IdP)
  - SurePath AI will combine these claims to create a display name

OIDC Configuration Steps

Enter the required information from your IdP into the corresponding fields
Click SAVE
Toggle the Enabled switch to the enabled position
Click SAVE again to activate the provider

SAML Configuration

Required claims for SAML

SurePath AI requires specific claims to be configured in the SAML response for successful authentication. The email claim is required for proper user authentication, although most IdPs include this claim by default. Additionally, the user's display name (either as a single claim or combined from first and last name claims) enables SurePath AI to add user name information to User Activity and Telemetry events that are created during GenAI use.

Admins must configure their IdP to send the following claims (these become attributes in the SAML assertion):

Email claim
- Common claim/attribute names: email, mail, emailAddress, or EmailAddress
Display name claim (option 1 - recommended)
- Common claim/attribute names: displayName, name, or DisplayName
Display name claims (option 2 - alternative)
- If the display name claim is not available, configure both:
  - First name claim: givenName, firstName, first_name, or GivenName
  - Last name claim: surname, lastName, last_name, sn, familyName, or Surname
  - SurePath AI will combine these claims to create a display name

Option 1: SAML

Information SurePath AI Provides

Service Provider Entity ID
- Also known as Issuer URL, Metadata URL, Audience URL, or Provider ID
Authorization Callback URL
- Also known as Assertion Consumer Service (ACS) URL, SAML Consumer URL, Service Provider (SP) Response URL, or simply the SAML Endpoint
- These values must be entered in your IdP's configuration

Information Required from Your IdP

Entity ID
- Also known as Issuer, IdP Entity ID, or Identifier
SSO URL
- Also known as SAML Endpoint, Login URL, or IdP Sign-in URL
Provider Certificate
- Also known as Identity Provider (IdP) certificate, SAML signing certificate, or encryption certificate

SAML Configuration Steps

Enter the required information from your IdP into the corresponding fields
Click SAVE
Toggle the Enabled switch to the enabled position
Click SAVE again to activate the provider

Option 2: SAML - Metadata XML

This option simplifies configuration by allowing you to upload the metadata XML file from your IdP.

SAML - Metadata XML Configuration Steps

Obtain the SAML metadata XML file from your IdP's administration console
Paste the entire XML content into the Metadata XML field
Click SAVE
Toggle the Enabled switch to the enabled position
Click SAVE again to activate the provider

Option 3: SAML - Metadata URL

This option allows SurePath AI to automatically fetch and process your IdP's metadata.

SAML - Metadata URL Configuration Steps

Obtain the metadata URL from your IdP (must be publicly accessible)
Enter the URL into the Metadata URL field
Click SAVE
Toggle the Enabled switch to the enabled position
Click SAVE again to activate the provider

Netskope - Proxy chaining

Configure SSO for Microsoft Entra

Active Directory - Distributing Configuration for Windows

Rippling - Distributing Configuration for MacOS

Microsoft Intune - Distributing configuration for Windows