SAML SSO is part of the Enterprise plan and is configured per organization by an organization owner. If you don’t see the Authentication settings, contact CloudCruise to enable it.
How it works
SSO is set up in two steps, both from Organization Settings → Authentication:- Verify your domain — prove you own the email domain your team uses (e.g.
acme.com) by adding a DNS TXT record. - Attach a SAML configuration — paste your IdP’s metadata (Entity ID, SSO URL, signing certificate) onto the verified domain.
- Okta
- Microsoft Entra ID (Azure AD)
- Google Workspace
- OneLogin
- Ping Identity
- JumpCloud
- …and any other SAML 2.0 IdP
Before you start
You’ll be moving values back and forth between your IdP and CloudCruise. From CloudCruise, your IdP needs these Service Provider (SP) details:| Setting in your IdP | Value |
|---|---|
| ACS URL (a.k.a. Reply URL, Single sign-on URL, Assertion Consumer Service) | https://hrcczpkvvknatvtuwksw.supabase.co/auth/v1/sso/saml/acs |
| SP Entity ID (a.k.a. Audience URI, Identifier) | https://hrcczpkvvknatvtuwksw.supabase.co/auth/v1/sso/saml/metadata |
| SP Metadata URL (if your IdP supports importing it) | https://hrcczpkvvknatvtuwksw.supabase.co/auth/v1/sso/saml/metadata |
| Name ID format | Email address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) |
These Service Provider URLs are the same for every CloudCruise customer — they’re CloudCruise’s hosted SAML endpoint. Point your IdP’s ACS and Audience at them, and send the user’s email address as the SAML Name ID.
- IdP Entity ID — your IdP’s SAML issuer / metadata identifier.
- IdP SSO URL — the IdP login endpoint (must be HTTPS).
- IdP signing certificate — the IdP’s x509 public certificate, in PEM format.
Step 1: Verify your domain
Open Authentication settings
Go to your organization’s Settings → Authentication page. (This link resolves to your active organization automatically.)
Add your email domain
Under Verified domains, enter the domain your team signs in with (for example
acme.com) and click Add domain. A verification dialog opens automatically.Publish the DNS TXT record
Add the following record at your DNS provider (the dialog shows the exact values with copy buttons):
The token is generated per domain — copy it from the dialog rather than from this page.
| Field | Value |
|---|---|
| Type | TXT |
| Name / Host | _cloudcruise-sso-verification.acme.com |
| Value | cc-sso-verify=<your-unique-token> |
DNS changes can take anywhere from a minute to a few hours to propagate. If verification keeps failing, the dialog tells you exactly what it found at the hostname — e.g. a stale
cc-sso-verify= record or no record at all.Step 2: Add your SAML configuration
First create a SAML application in your IdP using the Service Provider details above, then bring the IdP’s values back into CloudCruise.Create the SAML app in your IdP
In your identity provider, create a new SAML 2.0 application and set:
- ACS URL →
https://hrcczpkvvknatvtuwksw.supabase.co/auth/v1/sso/saml/acs - Audience / SP Entity ID →
https://hrcczpkvvknatvtuwksw.supabase.co/auth/v1/sso/saml/metadata - Name ID → the user’s email address, format
emailAddress
Copy your IdP's metadata values
From the IdP’s SAML metadata (or app settings), collect:
- IdP Entity ID (e.g.
https://idp.acme.com/metadata) - IdP SSO URL — the HTTPS sign-on endpoint (e.g.
https://idp.acme.com/sso) - Signing certificate in PEM form, including the
-----BEGIN CERTIFICATE-----/-----END CERTIFICATE-----lines
Create the configuration in CloudCruise
Back on the Authentication page, under SAML configuration:
- Choose the verified domain from Step 1.
- Paste the IdP Entity ID, IdP SSO URL, and IdP Certificate (PEM).
- Click Create configuration.
Test the login
Open the login page, choose Sign in with SSO, and enter a work email on the configured domain. You should be redirected to your IdP and, after authenticating, returned to CloudCruise signed in.
Requiring SSO (enforcement)
Each SAML configuration has a Require SSO toggle:| State | Behavior |
|---|---|
| Off (default) | Users on the domain can sign in either with SSO or with an email/password. |
| On | Password sign-in and new password sign-ups are blocked for the domain. Anyone attempting password login is redirected to SSO. |
Turn enforcement on only after you’ve confirmed SSO login works end-to-end. If your IdP configuration has a mistake and password sign-in is already disabled, you can lock yourself out. Leave it off while testing, then flip it on.
User provisioning
CloudCruise uses just-in-time provisioning. When a user signs in through SSO for the first time, an account is created automatically from the email address in the SAML assertion — there’s no separate import step. The email comes from the SAML Name ID (emailAddress format), which is why your IdP must send it there.
Just-in-time provisioning creates the CloudCruise user account and profile only. It does not automatically add the user to your organization or to every workspace.
To give a user access, invite them to your organization from CloudCruise. When they accept the invite, they’re added as an organization Member and as a Member of the organization’s existing workspaces. New workspaces can also be created with existing organization members added automatically, or workspace access can be managed separately.
For most providers the default mapping (Name ID → email) is all you need. If your IdP can only send email as a custom attribute claim, contact support — a custom attribute mapping can be applied to your configuration.
Identity provider quick reference
The exact labels differ per provider, but the mapping is always the same.- Okta
- Microsoft Entra ID
- Google Workspace
- Applications → Create App Integration → SAML 2.0.
- Single sign-on URL →
https://hrcczpkvvknatvtuwksw.supabase.co/auth/v1/sso/saml/acs - Audience URI (SP Entity ID) →
https://hrcczpkvvknatvtuwksw.supabase.co/auth/v1/sso/saml/metadata - Name ID format →
EmailAddress; Application username → Email. - Finish, then open Sign On → View SAML setup instructions to grab:
- Identity Provider Issuer → IdP Entity ID
- Identity Provider Single Sign-On URL → IdP SSO URL
- X.509 Certificate → paste as the PEM certificate
Managing and removing configurations
From the Authentication page you can:- Toggle Require SSO on or off at any time.
- Delete a SAML configuration — users on that domain can no longer sign in via SSO (delete this before removing the domain).
- Delete a verified domain — only allowed once its SAML configuration has been removed.
Troubleshooting
Domain verification never succeeds
Domain verification never succeeds
Confirm the TXT record is on the exact host
_cloudcruise-sso-verification.<your-domain> and the value matches cc-sso-verify=<token> from the dialog. The verification dialog reports what it actually found — a stale token, a non-CloudCruise record, or nothing yet. Allow time for DNS propagation and use Check now to retry.“SSO is not configured for this domain”
“SSO is not configured for this domain”
The email’s domain has no SAML configuration, or you entered a domain that isn’t verified. Make sure the domain is Verified and has a SAML configuration attached, and that the user’s email domain exactly matches.
Login redirects to the IdP but fails to come back
Login redirects to the IdP but fails to come back
Double-check the ACS URL and SP Entity ID in your IdP exactly match the values above, and that the IdP sends the user’s email as the Name ID in
emailAddress format. A mismatched audience or missing email is the most common cause.Certificate or SSO URL rejected on save
Certificate or SSO URL rejected on save
The IdP SSO URL must be HTTPS, and the certificate must be a PEM block beginning with
-----BEGIN CERTIFICATE-----. Copy the full certificate including the header and footer lines.Locked out after enabling Require SSO
Locked out after enabling Require SSO
If SSO is misconfigured and enforcement is on, password sign-in is blocked. Contact support to temporarily disable enforcement so you can fix the IdP settings.
Security notes
- CloudCruise validates each SAML assertion against the signing certificate you provide — rotate it in your IdP and update the configuration if it changes.
- Enforcement blocks the password path server-side, not just in the UI, so it cannot be bypassed.
- SSO is scoped to your organization for configuration and enforcement. Workspace access is still determined by CloudCruise workspace membership.
- All configuration changes (created, updated, enforcement toggled, deleted) are recorded in an audit log.

