SSO (SAML, OIDC, OAuth)

Enterprise

Enterprise hubs can require participants to authenticate through your organisation’s identity provider (IdP) instead of Fanzava’s default email-based login. Fanzava supports SAML 2.0, OpenID Connect (OIDC), and OAuth 2.0 with PKCE — pick whichever protocol your IdP implements most fully.

Supported identity providers

Fanzava has tested and documented integrations with:

• Okta — SAML 2.0 and OIDC
• Microsoft Entra ID (Azure AD) — SAML 2.0 and OIDC
• Google Workspace — SAML 2.0
• OneLogin — SAML 2.0
• Auth0 — OIDC
• Any standards-compliant SAML 2.0 or OIDC provider

OAuth 2.0 with PKCE is supported for any provider implementing the standard correctly. If your provider isn’t listed, contact your account manager — most standards-compliant providers integrate with no additional work.

Choosing a protocol

Protocol	When to use
SAML 2.0	Your IdP is built around SAML (Okta, Entra ID, OneLogin, Google Workspace). Most common for enterprise.
OpenID Connect (OIDC)	Your IdP supports OIDC. Simpler configuration with metadata auto-discovery.
OAuth 2.0 with PKCE	You’re integrating against a generic OAuth provider that doesn’t fully implement OIDC.

If you have a choice, OIDC is typically the easiest to configure correctly.

Setting up SAML 2.0

Step 1 — Get Fanzava’s service provider details

1. Go to Admin → Settings → Security → SSO
2. Copy the SP Entity ID and ACS URL (Assertion Consumer Service URL)

Step 2 — Configure your identity provider

In your IdP, create a new SAML application:

• Entity ID / Audience: paste Fanzava’s SP Entity ID
• ACS URL / Reply URL: paste Fanzava’s ACS URL
• Name ID format: Email address
• Signature algorithm: RSA-SHA256 (minimum)
• Sign assertions: required
• Encrypt assertions: recommended
• Attribute mapping: email → email, given_name → first name, family_name → last name

For automatic group assignment, map an additional attribute (commonly groups or department) — see Just-in-time provisioning below for how Fanzava interprets it.

Step 3 — Enter IdP details in Fanzava

Back in Fanzava’s SSO settings:

1. Paste your IdP’s Metadata URL (preferred) or upload the XML metadata file
2. Click Verify connection
3. Test with a real user account
4. Enable SSO

Step 4 — Configure enforcement

Once SSO is verified and tested, choose the appropriate enforcement mode for your hub.

Setting up OpenID Connect (OIDC)

1. Go to Admin → Settings → Security → SSO → OIDC
2. Enter your IdP’s Issuer URL, Client ID, and Client Secret
3. Click Verify — Fanzava auto-discovers endpoints from the standard /.well-known/openid-configuration document
4. Test with a real user account
5. Save and configure enforcement

PKCE is enabled by default and cannot be disabled.

Setting up OAuth 2.0 with PKCE

For OAuth-only providers without OIDC discovery:

1. Go to Admin → Settings → Security → SSO → OAuth
2. Enter the Authorization URL, Token URL, User Info URL, Client ID, Client Secret, and required Scopes
3. PKCE is enforced by default and cannot be disabled
4. Verify, test, save

Enforcement modes

After SSO is verified and tested, choose how strictly it’s applied:

Mode	Behaviour
Optional	Participants can use either Fanzava’s default authentication or SSO. Useful during rollout or for hubs with a mix of internal and external participants.
Required	All participants must authenticate via your IdP. Existing Fanzava-password accounts are migrated on next login.
Required with admin bypass	All participants must use SSO, but designated break-glass admin accounts retain a separate authentication path. Recommended for Enterprise hubs.

Switch modes from Admin → Settings → Security → SSO → Enforcement.

!

Warning

Once SSO is set to Required, participants without IdP accounts cannot log in. Before enforcing: confirm all current participants exist in your IdP, and create at least one break-glass admin account.

Domain restrictions

Restrict which email domains can authenticate through your SSO connection. From Admin → Settings → Security → SSO → Allowed domains, add one or more domains (e.g. acme.com, acme.co.uk). Authentication attempts from other domains via the same SSO connection are rejected.

Most useful when:

• Your IdP serves multiple domains and you want only a subset to reach Fanzava
• You want to prevent external contractors with IdP access from accessing your Fanzava hub

Just-in-time provisioning

When a user authenticates via SSO for the first time, Fanzava automatically creates their participant account. No manual invitation is required.

Group memberships can be assigned automatically using IdP attribute mappings:

1. In your IdP, set a SAML attribute or OIDC claim containing the user’s group identifier (e.g. groups: ["sales", "marketing"])
2. In Fanzava, map the attribute name and value-to-group rules from Admin → Settings → Security → SSO → JIT mapping

If a JIT-mapped group doesn’t yet exist in Fanzava, it is created. If a user’s group attribute changes on subsequent login, their group memberships update accordingly.

SCIM 2.0 provisioning ✦ Coming 2026

SCIM 2.0 user and group provisioning is on Fanzava’s roadmap. SCIM enables your IdP to push user and group changes to Fanzava in real time rather than relying on JIT at login. The release is planned to support:

• Real-time de-provisioning when users are removed from your IdP
• Pre-provisioning of users before their first login
• Real-time group membership synchronisation
• Bulk user lifecycle operations

Until SCIM ships, JIT provisioning is the recommended approach. Hubs that require strict de-provisioning today can use the existing Admin → Participants flow with regular reviews.

Operational considerations

Single Logout (SLO)

Fanzava supports IdP-initiated SAML Single Logout. When configured, signing out of your IdP triggers sign-out from Fanzava in the same session. Configure SLO endpoints in your IdP using the values shown in Admin → Settings → Security → SSO → SLO.

SLO is supported for SAML only. OIDC and OAuth sessions follow the standard token-expiry model — see Sessions & tokens.

Certificate and secret rotation

SAML signing certificates and OIDC/OAuth client secrets should be rotated regularly. Fanzava recommends a 90-day rotation cadence for production deployments.

To rotate:

1. Update the metadata URL or replacement credential in Admin → Settings → Security → SSO
2. Click Verify connection to confirm the new credential works
3. Save

For SAML, Fanzava supports an overlap window of up to 24 hours where both the old and new certificates remain valid, allowing in-flight sessions to complete without disruption.

Break-glass admin access

For hubs with Required SSO enforcement, Fanzava recommends maintaining one or two break-glass admin accounts that authenticate outside SSO. These accounts:

• Use Fanzava’s default email-and-MFA authentication (not your IdP)
• Are essential for recovery if the IdP is unavailable, your SSO certificate expires unexpectedly, or a misconfiguration locks out all SSO users
• Should be assigned to senior administrators only, with credentials stored in your password manager and reviewed quarterly

Create break-glass accounts before switching enforcement to Required. Once enforced, only break-glass accounts can authenticate without SSO.

Account linking and SSO migration

When SSO is enabled or enforcement is strengthened, existing Fanzava participant accounts are linked to their SSO identity by matching email address on first SSO login. A 30-day grace period applies, during which both the legacy authentication path and SSO continue to work — giving participants time to migrate cleanly.

For the full linking flow, edge cases (multiple matches, mismatched emails), and migration runbook, see Account linking & SSO migration.

i

Note

SSO setup typically requires coordination with your IT team. Fanzava’s Enterprise onboarding team provides guided setup assistance for all Enterprise plans — book a session via your account manager.