SSO & Identity Providers
Coming SoonEnterprise single sign-on support via SAML 2.0 and OpenID Connect, powered by Supabase Auth. Planned for Q2 2026.
Overview
SKYCOT Enterprise will support centralized authentication through your organization's identity provider. Team members sign in with their corporate credentials — no separate SKYCOT passwords to manage. SSO integration is built on Supabase Auth's enterprise SSO capabilities, providing SAML 2.0 and OpenID Connect (OIDC) protocol support out of the box.
Once configured, SSO enforces your organization's existing authentication policies including multi-factor authentication, conditional access rules, and session management — all governed by your IdP rather than SKYCOT.
Supported Identity Providers
The following identity providers will be supported at launch. Any provider that implements standard SAML 2.0 or OIDC protocols can be connected via the custom configuration option.
| Identity Provider | Protocol | Status |
|---|---|---|
| Okta | SAML 2.0 / OIDC | Planned |
| Azure AD (Entra ID) | SAML 2.0 / OIDC | Planned |
| Google Workspace | OIDC | Planned |
| OneLogin | SAML 2.0 | Planned |
| Custom SAML 2.0 | SAML 2.0 | Planned |
| Custom OIDC | OIDC | Planned |
Configuration Steps
Setting up SSO for your organization will follow this general workflow. Detailed setup guides for each provider will be published alongside the feature release.
- Enable SSO in organization settings — An organization admin navigates to Settings and enables the SSO toggle. This activates the SSO configuration panel.
- Select your identity provider — Choose from the supported list or select Custom SAML / Custom OIDC for unlisted providers.
- Exchange metadata — SKYCOT provides an SP (Service Provider) metadata URL and ACS (Assertion Consumer Service) endpoint. You configure these in your IdP, then paste your IdP's metadata URL or XML into SKYCOT.
- Map attributes — Configure attribute mapping for email, name, and optional group memberships. SKYCOT will provide sensible defaults for each supported provider.
- Test the connection — Use the built-in test flow to verify authentication works before enforcing SSO for all team members.
- Enforce SSO — Once verified, enable enforcement to require all organization members to authenticate via your IdP. Password-based login is disabled for enforced organizations.
SAML 2.0 Details
SP-Initiated Flow
Users visit SKYCOT, enter their email, and are redirected to your IdP for authentication. After successful login, the IdP posts a SAML assertion back to SKYCOT's ACS endpoint.
IdP-Initiated Flow
Users click the SKYCOT tile in their IdP dashboard (Okta, Azure AD app launcher) and are authenticated directly without visiting the SKYCOT login page first.
OIDC Flow
Standard Authorization Code flow with PKCE. SKYCOT redirects to your OIDC provider's authorization endpoint, receives an authorization code, and exchanges it for ID and access tokens server-side.
Security Features
- Signed SAML assertions with SHA-256 — SKYCOT validates the signature on every assertion before creating a session.
- Encrypted assertions supported for providers that require response encryption.
- Just-in-time (JIT) provisioning — new users are automatically created when they first authenticate via SSO, with roles assigned based on IdP group claims.
- Automatic deprovisioning — when a user is disabled in your IdP, their SKYCOT session is revoked on the next authentication check.
- Audit log of all SSO authentication events available in the organization admin panel.
Timeline
SSO support is scheduled for Q2 2026. Enterprise customers on the waitlist will receive early access to the beta configuration. To express interest or discuss your organization's requirements, contact enterprise@skycot.com.