Overview
Single Sign-On (SSO) allows your team to authenticate using your organization’s existing identity provider, eliminating the need for separate Activepieces credentials. This improves security, simplifies user management, and provides a seamless login experience.Prerequisites
Before configuring SSO, ensure you have:- Admin access to your Activepieces platform
- Admin access to your identity provider (Google, GitHub, Okta, or JumpCloud)
- The redirect URL from your Activepieces SSO configuration screen
Accessing SSO Configuration
Navigate to Platform Settings → SSO in your Activepieces admin dashboard to access the SSO configuration screen.
Enforcing SSO
You can enforce SSO by specifying your organization’s email domain. When SSO enforcement is enabled:- Users with matching email domains must authenticate through the SSO provider
- Email/password login can be disabled for enhanced security
- All authentication is routed through your designated identity provider
Supported SSO Providers
Activepieces supports multiple SSO providers to integrate with your existing identity management system.1
Access Google Cloud Console
Go to the Google Cloud Console and select your project (or create a new one).
2
Create OAuth2 Credentials
Navigate to APIs & Services → Credentials → Create Credentials → OAuth client ID.Select Web application as the application type.
3
Configure Redirect URI
Copy the Redirect URL from the Activepieces SSO configuration screen and add it to the Authorized redirect URIs in Google Cloud Console.
4
Copy Credentials to Activepieces
Copy the Client ID and Client Secret from Google and paste them into the corresponding fields in Activepieces.
5
Save Configuration
Click Finish to complete the setup.
GitHub
1
Access GitHub Developer Settings
Go to GitHub Developer Settings → OAuth Apps → New OAuth App.
2
Register New Application
Fill in the application details:
- Application name: Choose a recognizable name (e.g., “Activepieces SSO”)
- Homepage URL: Enter your Activepieces instance URL
3
Configure Authorization Callback
Copy the Redirect URL from the Activepieces SSO configuration screen and paste it into the Authorization callback URL field.
4
Complete Registration
Click Register application to create the OAuth App.
5
Generate Client Secret
After registration, click Generate a new client secret and copy it immediately (it won’t be shown again).
6
Copy Credentials to Activepieces
Copy the Client ID and Client Secret and paste them into the corresponding fields in Activepieces.
7
Save Configuration
Click Finish to complete the setup.
SAML with Okta
1
Create New Application in Okta
Go to the Okta Admin Portal → Applications → Create App Integration.
2
Select SAML 2.0
Choose SAML 2.0 as the sign-on method and click Next.
3
Configure General Settings
Enter an App name (e.g., “Activepieces”) and optionally upload a logo. Click Next.
4
Configure SAML Settings
- Single sign-on URL: Copy the SSO URL from the Activepieces configuration screen
- Audience URI (SP Entity ID): Enter
Activepieces - Name ID format: Select
EmailAddress
5
Add Attribute Statements
Add the following attribute mappings:
| Name | Value |
|---|---|
firstName | user.firstName |
lastName | user.lastName |
email | user.email |
6
Complete Setup in Okta
Click Next, select the appropriate feedback option, and click Finish.
7
Export IdP Metadata
Go to the Sign On tab → View SAML setup instructions or View IdP metadata. Copy the Identity Provider metadata XML.
8
Configure Activepieces
- Paste the IdP Metadata XML into the corresponding field
- Copy the X.509 Certificate from Okta and paste it into the Signing Key field
9
Save Configuration
Click Save to complete the setup.
SAML with JumpCloud
1
Create New Application in JumpCloud
Go to the JumpCloud Admin Portal → SSO Applications → Add New Application → Custom SAML App.
2
Configure ACS URL
Copy the ACS URL from the Activepieces configuration screen and paste it into the ACS URLs field in JumpCloud.
3
Configure SP Entity ID
Set the SP Entity ID (Audience URI) to
Activepieces.4
Add User Attributes
Configure the following attribute mappings:
| Service Provider Attribute | JumpCloud Attribute |
|---|---|
firstName | firstname |
lastName | lastname |
email | email |
5
Enable HTTP-Redirect Binding
JumpCloud does not include the 
HTTP-Redirect binding by default. You must enable this option.6
Export Metadata
Click Save, then refresh the page and click Export Metadata.
7
Configure IdP Metadata in Activepieces
Paste the exported metadata XML into the IdP Metadata field in Activepieces.
8
Configure Signing Certificate
Locate the Paste this into the Signing Key field.
<ds:X509Certificate> element in the IdP metadata and extract its value. Format it as a PEM certificate:9
Assign Users to Application
In JumpCloud, assign the application to the appropriate users or user groups.
10
Save Configuration
Click Finish to complete the setup.
Troubleshooting
Users cannot log in after SSO configuration
Users cannot log in after SSO configuration
- Verify the redirect URL is correctly configured in your identity provider
- Ensure users are assigned to the application in your identity provider
- Check that email domains match the SSO enforcement settings
SAML authentication fails
SAML authentication fails
- Confirm the IdP metadata is complete and correctly formatted
- Verify the signing certificate is properly formatted with BEGIN/END markers
- Ensure all required attributes (firstName, lastName, email) are mapped
HTTP-Redirect binding error (JumpCloud)
HTTP-Redirect binding error (JumpCloud)
- Enable the HTTP-Redirect binding option in JumpCloud
- Re-export the metadata after enabling the binding
- Verify the binding appears in the exported XML