Single Sign-On (SSO)
FORG Enterprise supports SAML 2.0 and OIDC for single sign-on. SSO is available on the Enterprise plan and can be configured by org admins without contacting FORG support.
Supported protocols
- SAML 2.0 — Works with Okta, Azure AD, Google Workspace, OneLogin, Ping Identity, and any standards-compliant IdP
- OIDC — Works with Okta, Azure AD (v2), Auth0, Google, and any OIDC-compliant provider
SAML 2.0 setup
Step 1 — Create a SAML app in your IdP
Use these values when creating the SAML application:
| Field | Value |
|---|---|
| ACS URL (Reply URL) | https://forg.pro/auth/saml/callback |
| Entity ID (Audience) | https://forg.pro/auth/saml |
| Name ID Format | Email address |
| Attribute: email | Map to user's email |
| Attribute: first_name | Map to user's first name (optional) |
| Attribute: last_name | Map to user's last name (optional) |
| Attribute: groups | Map to user's group memberships (optional, for team sync) |
Step 2 — Configure FORG
Go to Dashboard → Settings → SSO → Add SAML Provider:
- Paste your IdP's metadata XML URL (preferred) or XML content
- Set the email domain(s) that should route to this IdP
- Choose enforcement: Required (block all non-SSO logins) or Optional
Step 3 — Test
Click Test connection to verify the SAML assertion flow before enforcing. This opens a test login without affecting existing sessions.
OIDC setup
Step 1 — Register an OAuth app
Register a new OAuth application in your identity provider with:
- Redirect URI:
https://forg.pro/auth/oidc/callback - Grant type: Authorization Code
- Scopes:
openid email profile
Step 2 — Configure FORG
Go to Dashboard → Settings → SSO → Add OIDC Provider:
Discovery URL: https://your-idp.com/.well-known/openid-configuration
Client ID: your-client-id
Client Secret: your-client-secret
Email domains: example.com, example.orgEnforcing SSO
When SSO enforcement is enabled for a domain, users with matching email addresses must authenticate via SSO. Direct password login and magic links are disabled. Existing sessions remain valid until expiry.
Org admin accounts can be exempted from SSO enforcement via Settings → SSO → Admin bypass.
Group-to-team mapping
If your IdP sends group membership in the SAML assertion or OIDC claims, FORG can automatically sync team membership. Configure the group attribute name in Settings → SSO → Group sync.
Group names are matched case-insensitively to FORG team slugs. Users are added/removed from teams on each login.