Enterprise SSO
Enterprise SSO lets users authenticate through the customer's identity provider before entering FactVerse. It reduces duplicate account handling and keeps user lifecycle, password policy, conditional access, and identity assurance aligned with the customer's IT governance.
Use this page during SSO planning, configuration review, acceptance testing, and support handoff. For API-level single sign-on callback details, keep the legacy SDK / SSO reference available to the integration team.
Planning flow
Prerequisites
Before configuration starts, confirm that the customer IT owner, FactVerse project owner, and tenant administrator are assigned. The team also needs access to the target FactVerse environment, the identity provider administration console, and at least two test users with different expected access results.
Inputs
| Input | Owner | Notes |
|---|---|---|
| FactVerse environment URL | Project administrator | Use the production, staging, private cloud, or on-premises URL that users will actually open. |
| Identity provider | Customer IT | Microsoft Entra ID, Okta, Ping Identity, Keycloak, or another enterprise IdP may be used depending on the deployment. |
| Protocol and metadata | Customer IT and DataMesh project team | Confirm supported SSO mode, metadata exchange, certificates, callback URL, and logout behavior for the environment. |
| User identifier | Customer IT | Email, username, employee ID, or another stable claim must map to the FactVerse user model. |
| Tenant and role assignment | Tenant administrator | SSO proves identity. FactVerse roles still decide what the user can do. |
| Test users | Customer IT and business owner | Include normal users, administrators, disabled users, and users missing required role assignments. |
Configuration checklist
| Area | Confirm |
|---|---|
| Domain and redirect | FactVerse URL, callback URL, allowed domains, and redirect behavior match the deployment. |
| Certificate or secret | Signing certificate, client secret, or equivalent credential is stored and rotated according to customer policy. |
| Claims | Required identity claims are present and stable. |
| Tenant mapping | The authenticated user maps to the correct tenant and project boundary. |
| Role mapping | User roles are assigned in FactVerse or through the approved provisioning process. |
| Error handling | The customer support team knows how to capture IdP error, FactVerse error, timestamp, and test user. |
Validation procedure
- Open the target FactVerse environment.
- Start SSO sign-in from the FactVerse login page or the customer portal.
- Complete authentication in the enterprise identity provider.
- Confirm the user returns to FactVerse without a redirect loop.
- Confirm the displayed identity matches the expected user.
- Confirm the user can enter the intended tenant.
- Confirm product navigation and the first task match the assigned role.
- Repeat with a user who should not have access and confirm access is denied cleanly.
Expected result
SSO is ready when pilot users can authenticate through the customer's identity provider, return to the correct FactVerse environment, enter the expected tenant, and see product access that matches their assigned roles. Support owners should also have enough IdP and FactVerse evidence to diagnose failed sign-ins without guessing.
Support handoff
For production support, record:
- identity provider name and support owner;
- FactVerse environment URL and callback URL;
- user identifier claim used for mapping;
- expected role provisioning path;
- certificate or secret rotation owner;
- test account names or a test procedure approved by the customer;
- escalation path for IdP outage, account disablement, and tenant access errors.
Common issues
| Symptom | Likely check |
|---|---|
| User loops between IdP and FactVerse | Callback URL, cookie policy, browser restrictions, or mismatched environment. |
| User authenticates but cannot enter tenant | Tenant membership or user mapping. |
| User enters tenant but product is hidden | Role assignment, product package, or project scope. |
| SSO works for one user but not another | User claim, group assignment, conditional access, or disabled account status. |
| API SSO integration fails | Source identifier, token validity, callback parameters, or the integration reference. |
Related pages
- Use Sign in to FactVerse for end-user login validation.
- Use Users, Roles, and Permissions after SSO succeeds.
- Use Authentication Troubleshooting for evidence collection and triage.