Skip to main content

Enterprise SSO

Operator checklist

1

Database

Apply migrations including ssoProvider (0050_sso_provider.sql).
2

Redirect URI

Set FLUIDE_AUTH_SSO_OIDC_REDIRECT_URI to the public callback URL, for example:https://auth.yourdomain.com/api/v1/auth/sso/callbackRegister the same URI in your IdP (Okta, Entra, Auth0).
3

Trusted origins

Add IdP issuer origins to BETTER_AUTH_SSO_TRUSTED_ORIGINS (comma-separated).
4

Providers JSON

Set FLUIDE_SSO_PROVIDERS_JSON to an array of:providerId, issuer, domain, clientId, clientSecret, optional pkce, scopes, mapping, allowedFluideClientId (fluide-admin or fluide-capital-admin).
5

SPAs

Set NEXT_PUBLIC_FLUIDE_SSO_PROVIDER_ID to match providerId. OAuth fragments are consumed on /post-auth.

Endpoints

  • POST /api/v1/auth/sso/authorize
  • GET /api/v1/auth/sso/callback
JWT issuance uses the same fragment contract as social OAuth via JwtIssuerService.

API routing

SSO endpoints live under /api/v1/auth/sso/* on the same Fluide API base URL as other Auth routes (sandbox: https://test.api.fluidehr.com). No separate host or path prefix is required for Connect integrations.