Security

Setting Up SSO

Configure single sign-on and directory sync for Azure AD, Okta, Google Workspace, and SAML providers.

Last updated: February 22, 2026

Ambient supports SSO via OIDC and SAML 2.0. Once configured, users log in with their corporate credentials and are provisioned automatically.

Supported Providers

ProviderProtocolDirectory Sync
Azure Active DirectoryOIDC✅ SCIM
OktaOIDC✅ SCIM
Google WorkspaceOIDC✅ SCIM
JumpCloudCustom OIDC✅ SCIM
AD FSSAML 2.0Manual
Any SAML 2.0 providerSAML 2.0Manual

Prerequisites

  • Ambient Business or Enterprise plan (SSO is not available on Starter)
  • Admin access to your identity provider
  • Admin access to Ambient Command Center

Configuration Steps

Azure AD / Entra ID

  1. In the Azure portal, go to Enterprise Applications → New Application → Create your own.
  2. Name it Ambient and select “Non-gallery application”.
  3. Go to Single sign-on → OIDC.
  4. Copy the Client ID and Client Secret.
  5. In Command Center, go to Administration → Settings → SSO.
  6. Select Azure AD, paste the Client ID, Client Secret, and your Tenant ID.
  7. Click Test Connection — a browser window opens to validate the flow.
  8. Click Save.

Okta

  1. In Okta Admin, go to Applications → Create App Integration → OIDC.
  2. Set the Sign-in redirect URI to: https://your-tenant.ambient.co.za/api/auth/callback/okta
  3. Copy the Client ID and Client Secret.
  4. In Command Center → Administration → Settings → SSO, select Okta and enter your Okta domain, Client ID, and Client Secret.
  5. Save and test.

Google Workspace

  1. In Google Console, go to APIs & Services → Credentials → Create OAuth client.
  2. Set the redirect URI to: https://your-tenant.ambient.co.za/api/auth/callback/google
  3. Copy credentials and enter them in Command Center → SSO → Google Workspace.

SAML 2.0 (AD FS / Generic)

  1. In Command Center → Administration → Settings → SSO, select SAML.
  2. Download the Ambient SP metadata XML.
  3. Import the metadata into your IdP (AD FS, PingFederate, etc.).
  4. Upload your IdP metadata XML back into Command Center.
  5. Map attributes: emailhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  6. Save and test.

Directory Sync (SCIM)

SCIM provisioning automatically creates, updates, and deactivates Ambient users when changes are made in your IdP.

  1. In Command Center → Administration → Settings → Directory Sync, click Enable SCIM.
  2. Copy the SCIM endpoint URL and Bearer token.
  3. In your IdP (Azure AD, Okta, etc.), configure a new SCIM app using these credentials.
  4. Run an initial sync — users appear in Administration → Users within minutes.

Enforcing SSO

To require all users to log in via SSO (disabling email/password):

Administration → Settings → SSO → Enforce SSO → Enable

⚠️ Ensure at least one Owner account has a backup login method (or is excluded from enforcement) before enabling this setting.