AI makes mistakes! Undisk makes recovery instant: every write is versioned, every file is reversible.
See it heal →

SSO (Single Sign-On)

SSO is available on Team and Enterprise plans. Undisk supports both OIDC (OpenID Connect) and SAML 2.0 identity providers. SSO setup is currently completed via REST API calls (shown below). Dashboard-based setup flow is planned.

Setup

  1. Create an organizationPOST /api/orgs with { name, slug }
  2. Add a domainPOST /api/orgs/:orgId/sso/domains with { domain: "example.com" }
  3. Verify the domain — Add the returned TXT record to your DNS, then POST /api/orgs/:orgId/sso/domains/:domain/verify
  4. Register a providerPOST /api/orgs/:orgId/sso/providers with type (oidc/saml), issuer URL, client ID/secret
  5. ActivatePOST /api/orgs/:orgId/sso/providers/:id/activate

SSO Login

Users with email domains matching a verified SSO domain are redirected to the IdP: 
GET /api/auth/sso/login?email=user@example.com
The flow: domain lookup → IdP redirect → callback → JIT user provisioning → session creation → redirect to dashboard.

Session Enforcement

SSO sessions have an expiry set by the IdP. When an SSO session expires, the user must re-authenticate via their IdP. The X-SSO-Reauth-Required header is sent 5 minutes before expiry. Organizations can enforce SSO by setting enforceSSO: true in org metadata. When enforced, password login is blocked for users with matching email domains — they must use SSO.

Credential Revocation

Org owners can revoke all SSO sessions and OAuth tokens for a user: 
POST /api/orgs/:orgId/sso/revoke-user
{ "userId": "user_abc123" }

SAML Metadata

SP metadata for SAML IdP configuration: 
GET /api/auth/sso/saml/metadata?orgId=org_123

SSO Audit Trail

SSO admin events (domain verification, provider changes, credential revocation) are logged in a separate sso_admin_log table at the organization level. File-level audit entries include ssoIdentity when the operation was performed via an SSO session.