Skip to main content

Enterprise SSO

Operator checklist

1

Database

Apply migrations including ssoProvider (0050_sso_provider.sql).
2

Redirect URI

Set FLUIDE_AUTH_SSO_OIDC_REDIRECT_URI to the public callback URL, for example:https://auth.yourdomain.com/api/v1/auth/sso/callbackRegister the same URI in your IdP (Okta, Entra, Auth0).
3

Trusted origins

Add IdP issuer origins to BETTER_AUTH_SSO_TRUSTED_ORIGINS (comma-separated).
4

Providers JSON

Set FLUIDE_SSO_PROVIDERS_JSON to an array of:providerId, issuer, domain, clientId, clientSecret, optional pkce, scopes, mapping, allowedFluideClientId (fluide-admin or fluide-capital-admin).
5

SPAs

Set NEXT_PUBLIC_FLUIDE_SSO_PROVIDER_ID to match providerId. OAuth fragments are consumed on /post-auth.

Endpoints

  • POST /api/v1/auth/sso/authorize
  • GET /api/v1/auth/sso/callback
JWT issuance uses the same fragment contract as social OAuth via JwtIssuerService.

Gateway

Tyk FluideGateway/apps/auth.json already proxies /api/v1/auth/*; no extra SSO path rules are required.