Overview
BlazeCrawl supports SAML 2.0 and OIDC authentication for enterprise customers. When SSO is enabled, password login is disabled for all workspace members, and user provisioning can be automated via SCIM 2.0.
Plans & Features
| Feature | Scale | Enterprise |
|---|---|---|
| SAML 2.0 | ✅ | ✅ |
| OIDC | ✅ | ✅ |
| SCIM 2.0 | ✅ | ✅ |
| JIT Provisioning | ✅ | ✅ |
| Group-based Roles | ✅ | ✅ |
| MFA Enforcement | ✅ | ✅ |
Supported Identity Providers
We test and maintain compatibility with the following IdPs:
🟠
Okta
TestedSAMLOIDCSCIM
🔷
Microsoft Entra ID
TestedSAMLOIDCSCIM
🔵
Google Workspace
TestedSAMLSCIM
🟢
OneLogin
TestedSAMLOIDCSCIM
🟡
JumpCloud
TestedSAMLOIDCSCIM
🔴
Auth0
TestedSAMLOIDCSCIM
Security Features
- Signed Assertions: All SAML assertions must be signed
- Replay Protection: InResponseTo IDs cached for 24 hours
- Audience Restriction: Validates SP entity ID
- Certificate Rotation: Support for 2 active IdP certificates
- MFA Enforcement: Can require MFA at IdP
SCIM 2.0 Support
Automate user provisioning with SCIM 2.0:
- User create/update/delete
- Group management
- Role mapping from groups
- Automatic API key revocation on deactivation
Group to Role Mapping
Map IdP groups to BlazeCrawl roles:
{
"BlazeCrawl-Admins": "admin",
"BlazeCrawl-Engineers": "member",
"BlazeCrawl-Finance": "billing"
}Unmapped groups default to readonly (least privilege).
JIT Provisioning
Just-In-Time provisioning creates workspace membership on first SSO login. This is disabled by default - SCIM is the recommended approach for automated provisioning.
Getting Started
- Ensure you're on Scale or Enterprise plan
- Choose your IdP from the supported list
- Follow the setup guide for your IdP
- Configure attribute mapping and group roles
- Test the integration
Setup Guides
Need help setting up SSO?
Contact our enterprise team at enterprise@blazecrawl.dev for assistance.