Single sign-on (SSO) lets your team log in to CRAFT using their existing company credentials. Once SSO is configured, users are redirected to your identity provider when they access CRAFT — they do not need to set or remember a separate CRAFT password.Documentation Index
Fetch the complete documentation index at: https://docs.emergence.ai/llms.txt
Use this file to discover all available pages before exploring further.
SSO configuration requires organisation owner permissions. If you do not see the SSO settings described below, contact your organisation owner.
Supported identity providers
CRAFT supports SSO via two standard protocols:| Protocol | Compatible providers |
|---|---|
| OIDC (OpenID Connect) | Microsoft Entra ID (formerly Azure AD), Google Workspace, Okta, and any OIDC-compliant provider |
| SAML 2.0 | Microsoft Entra ID, Okta, Ping Identity, and any SAML 2.0-compliant provider |
Before you begin
You will need the following information from your identity provider administrator: For OIDC:- Discovery URL (also called the “well-known” endpoint), in the format
https://your-provider.example.com/.well-known/openid-configuration - Client ID and client secret (you will create an application in your identity provider and receive these)
- Redirect URL to enter in your identity provider: provided in the CRAFT SSO settings screen
- Identity provider metadata URL or XML file
- Redirect URL and SP entity ID to enter in your identity provider: provided in the CRAFT SSO settings screen
Configure SSO in CRAFT
Select your protocol
Choose OIDC or SAML depending on what your identity provider supports. If both are available, OIDC is recommended for simplicity.
Enter your identity provider details
Fill in the connection details for your provider:
- For OIDC: enter the discovery URL, client ID, and client secret.
- For SAML: upload the metadata XML file or enter the metadata URL.
Configure your identity provider
In your identity provider’s administration console, create an application or enterprise app for CRAFT and enter the values shown in the CRAFT SSO settings screen (redirect URL, entity ID, etc.).Refer to your identity provider’s documentation for the specific steps:For the engineer-side configuration details and Helm chart settings, see SSO Integration Guide.
Test the connection
After saving your configuration, select Test Connection. CRAFT will attempt to authenticate with your identity provider. If the test succeeds, SSO is ready to use.
What happens to existing users
When you enable SSO, existing users who log in with a CRAFT password are asked to re-authenticate via your identity provider. Their email address in CRAFT must match the email address in your identity provider — otherwise they will be treated as a new user. If a user’s email address in CRAFT does not match their identity provider email, contact Emergence support to merge the accounts.Troubleshooting
Users see 'Access Denied' after logging in
Users see 'Access Denied' after logging in
The user’s email address may not be in the group or application you configured in your identity provider. Check that the user has been assigned to the CRAFT application in your identity provider’s admin console.
SSO redirect loops or blank screen
SSO redirect loops or blank screen
Check that the redirect URL in your identity provider exactly matches the value shown in the CRAFT SSO settings screen. A trailing slash or incorrect protocol (http vs https) will cause redirect failures.
Test connection fails with 'invalid client'
Test connection fails with 'invalid client'
Double-check the client ID and client secret. If you recently rotated the client secret in your identity provider, you will need to update it in the CRAFT SSO settings.