Skip to content
Studeia Docs

SSO Enterprise: SAML, OIDC and SCIM 2.0

Studeia Enterprise: SAML 2.0, OIDC with PKCE, SCIM 2.0 (14 RFC 7644 endpoints), JIT provisioning, group-to-course mapping. Integrates with Okta, Azure AD, Google Workspace, and any standard IdP.

2026-05-23 8 min
Resposta curta

Studeia Enterprise plan supports SAML 2.0 (via node-saml), OIDC with PKCE and SCIM 2.0 (14 endpoints RFC 7644). JIT provisioning creates users on first login, group-to-course mapping auto-enrolls students in courses when IdP adds to group, SCIM bearer token encrypted AES-256-GCM, all events audited in ScimAuditLog. Integrates with Okta, Azure AD, Google Workspace and any standard IdP.

Prerequisites

  • Enterprise plan (verified in /api/auth/sso/[tenantSlug] route — other plans return 403)
  • Configured domain (white-label optional but recommended)
  • IdP admin access (Okta, Azure AD, Google Workspace, Ping, OneLogin, etc)

SAML 2.0

ACS endpoint: /api/auth/sso/[tenantSlug]/saml/callback. SP metadata: /api/institution/sso/metadata. SAML Response validated via node-saml (XML signature, namespace, NotBefore/NotOnOrAfter).

OIDC

Authorization Code + PKCE (S256). State HMAC-signed + Redis nonce (15min TTL anti-replay). Userinfo endpoint → JIT provisioning → Supabase session.

SCIM 2.0

14 RFC 7644 endpoints. Bearer token encrypted AES-256-GCM. Configure in IdP > Provisioning. Supports CRUD, soft-delete (DELETE → User.status=suspended, never DB delete), bulk operations.

Group → Course mapping

When SCIM adds member to group → Studeia creates active Enrollment in course. Large groups (>50 members) processed via BullMQ (scim-group-sync queue), Response 202 + jobId.

Security

  • SCIM Bearer token: encrypted AES-256-GCM in TenantSsoConfig.scimToken
  • OAuth state: HMAC-SHA256 + Redis nonce
  • JIT validation via allowedDomains (anti-shadow accounts)
  • ScimAuditLog logs every operation with redacted payload

Limitations

  • Direct LDAP (no SAML/OIDC) not natively supported — roadmap
  • SAML SLO (Single Logout) partial — recommend SCIM for reliable deprovisioning
  • MFA delegated to IdP
  • Group nesting partially supported — recommend flatten in IdP

See also

FAQ

Does Studeia support SSO with Okta?

Yes, via SAML 2.0 or OIDC. Configure in Settings > SSO > Add Provider, choose SAML or OIDC, paste metadata XML (SAML) or discovery URL (OIDC). JIT provisioning creates users automatically on first login.

What SSO protocols does Studeia support?

SAML 2.0 (via node-saml, validates XML signature, supports SP-initiated and IdP-initiated), OIDC with Authorization Code + PKCE + automatic discovery, SCIM 2.0 for provisioning (RFC 7644 — Users + Groups + ServiceProviderConfig endpoints).

Does SCIM 2.0 work with Azure AD?

Yes. Studeia exposes /api/scim/v2/Users + /api/scim/v2/Groups with Bearer token auth. Configure in Azure AD Enterprise Application > Provisioning > Provisioning Mode: Automatic. Supports CRUD, soft-delete (User.status=suspended), bulk operations.

Does automatic group-to-course mapping work?

Yes. SsoGroup can be mapped to Course via SsoGroupCourseMapping. When IdP adds user to group, Studeia auto-enrolls in course. When removes, cancels enrollment. Large groups (>50 members) processed via BullMQ.

Veja tambem

SSO Enterprise: SAML, OIDC and SCIM 2.0