Organizations

SSO for organizations

Tragentics supports organization-level SAML SSO configuration so members on a company domain can sign in through their identity provider instead of using only local email-and-password auth.

Packaging: SSO is intended to be an add-on, not a default Business inclusion. Business includes one organization. SSO can be layered on top when the organization needs centralized identity.

What SSO does

Organization SSO gives the admin a way to tie sign-in behavior to a verified business domain and a SAML provider configuration.

Once configured, users on the organization's domain can be recognized on the login page and prompted toward SSO.

Where SSO is configured

The SSO card currently lives in the Members tab on the organization page. It shows:

  • whether SSO is currently active
  • the configured domain
  • the ability to configure SSO
  • the ability to remove the current SSO configuration

Required inputs

The current SSO configuration flow asks for:

  • Company domain — for example acme.com
  • IdP metadata URL — your identity provider's SAML metadata endpoint

Tragentics stores the provider reference and the SSO domain at the organization layer so sign-in behavior can be routed correctly.

Login behavior

On the login page, Tragentics can check whether the user's email domain matches an organization with SSO enabled. If it does, the login experience can show SSO-specific affordances instead of behaving like a purely local-auth-only account.

This domain check is public and rate-limited. It does not expose the full organization surface — it only answers whether SSO is enabled for that domain.

Removing SSO

The admin can remove SSO from the organization. Doing so clears the organization's SSO provider reference and domain association.

Removing SSO is not the same as deleting the organization. It only changes the organization's identity entry point.

The UI currently notes that SSO requires the Supabase Team plan on the infrastructure side. Even if the commercial packaging is an add-on inside Tragentics, the underlying IdP support still depends on the deployed auth stack supporting SAML.