SSO / SAML setup
Wire SAML 2.0 between Moonborn and Okta / Azure AD / Google Workspace. Metadata URL, ACS endpoint, IdP-initiated and SP-initiated flows.
SAML 2.0 SSO is an Enterprise feature. The configuration is per-org; once enabled, users authenticate through your IdP and never see the Moonborn password page.
1. Pull the SP metadata
Moonborn exposes its SP (Service Provider) metadata at:
https://api.moonborn.co/v1/auth/sso/saml/metadata?orgId=org_...
The IdP-side config needs:
- Entity ID:
https://api.moonborn.co/saml/{orgId} - ACS URL:
https://api.moonborn.co/v1/auth/sso/saml/acs - NameID format:
emailAddress - Signed AuthnRequests: required
- Signed Responses: required
2. Push the IdP metadata to Moonborn
Get the IdP's metadata URL or XML, then:
await client.config.setItem({
key: 'identity.sso.saml.idp_metadata_url',
value: 'https://your-idp.example.com/metadata',
scope: 'org',
scopeId: 'org_...',
});
await client.config.setItem({
key: 'identity.sso.saml.enabled',
value: true,
scope: 'org',
scopeId: 'org_...',
});3. Attribute mapping
Required SAML attributes:
| SAML attribute | Maps to |
|---|---|
email | user email (also NameID) |
firstName | display name |
lastName | display name |
Optional role attribute (defaults to editor if absent):
roles → 'editor' | 'viewer' | 'admin' | 'billing' | 'auditor'
4. Test the flow
SP-initiated: sign in at https://app.moonborn.co/, enter your
work email, get redirected to the IdP, return as authenticated.
IdP-initiated: add Moonborn as a tile in your IdP; users click it and land authenticated.
5. Lock down passwords
After SSO is live, disable password sign-in for the org so users can only authenticate through the IdP:
await client.config.setItem({
key: 'identity.credentials.enabled',
value: false,
scope: 'org',
scopeId: 'org_...',
});Provisioning vs authentication
SAML handles who can sign in. For automatic user lifecycle (create / disable on IdP changes), pair with SCIM provisioning.
Tier
Enterprise.