← Back to Trust Center

Enterprise SSO

Single Sign-On for Scale and Enterprise plans

Overview

BlazeCrawl supports SAML 2.0 and OIDC authentication for enterprise customers. When SSO is enabled, password login is disabled for all workspace members, and user provisioning can be automated via SCIM 2.0.

Plans & Features

FeatureScaleEnterprise
SAML 2.0
OIDC
SCIM 2.0
JIT Provisioning
Group-based Roles
MFA Enforcement

Supported Identity Providers

We test and maintain compatibility with the following IdPs:

🟠

Okta

Tested
SAMLOIDCSCIM
🔷

Microsoft Entra ID

Tested
SAMLOIDCSCIM
🔵

Google Workspace

Tested
SAMLSCIM
🟢

OneLogin

Tested
SAMLOIDCSCIM
🟡

JumpCloud

Tested
SAMLOIDCSCIM
🔴

Auth0

Tested
SAMLOIDCSCIM

Security Features

  • Signed Assertions: All SAML assertions must be signed
  • Replay Protection: InResponseTo IDs cached for 24 hours
  • Audience Restriction: Validates SP entity ID
  • Certificate Rotation: Support for 2 active IdP certificates
  • MFA Enforcement: Can require MFA at IdP

SCIM 2.0 Support

Automate user provisioning with SCIM 2.0:

  • User create/update/delete
  • Group management
  • Role mapping from groups
  • Automatic API key revocation on deactivation

Group to Role Mapping

Map IdP groups to BlazeCrawl roles:

{
  "BlazeCrawl-Admins": "admin",
  "BlazeCrawl-Engineers": "member",
  "BlazeCrawl-Finance": "billing"
}

Unmapped groups default to readonly (least privilege).

JIT Provisioning

Just-In-Time provisioning creates workspace membership on first SSO login. This is disabled by default - SCIM is the recommended approach for automated provisioning.

Getting Started

  1. Ensure you're on Scale or Enterprise plan
  2. Choose your IdP from the supported list
  3. Follow the setup guide for your IdP
  4. Configure attribute mapping and group roles
  5. Test the integration

Setup Guides

Need help setting up SSO?

Contact our enterprise team at enterprise@blazecrawl.dev for assistance.