Single Sign-On (SSO)
superglue supports Single Sign-On through Okta OpenID Connect (OIDC).
When SSO is enabled:
- An Okta provider button appears on the login page.
- Users are provisioned just-in-time — their superglue account is created on first login, with no manual invitation step.
- Organization membership and roles are managed in superglue after the account exists.
Configuration
Section titled “Configuration”1. Create the Okta application
Section titled “1. Create the Okta application”In the Okta admin console, create an OIDC - Web Application:
- Sign-in redirect URI:
https://<your-superglue-domain>/api/auth/oauth2/callback/okta - Grant type: Authorization Code (PKCE is used automatically)
Note the Client ID and Client Secret.
2. Set environment variables
Section titled “2. Set environment variables”| Variable | Required | Description |
|---|---|---|
AUTH_PROVIDERS |
Yes | Include okta in the comma-separated provider list. |
OKTA_CLIENT_ID |
Yes | OIDC application client ID. |
OKTA_CLIENT_SECRET |
Yes | OIDC application client secret. |
OKTA_ISSUER |
Yes | Your Okta org URL, e.g. https://your-domain.okta.com (the Org Authorization Server). |
AUTH_DISABLE_SIGNUP |
Yes | true/false. When true, self-service account registration is blocked. |
AUTH_DISABLE_INVITES |
Yes | true/false. When true, organization invitations cannot be created or accepted. |
Shared behavior
Section titled “Shared behavior”The following applies to Okta SSO deployments.
Make SSO the only login method
Section titled “Make SSO the only login method”To require everyone to sign in through SSO, enable only the SSO provider and disable email/password:
AUTH_PROVIDERS=oktaOKTA_CLIENT_ID=...OKTA_CLIENT_SECRET=...OKTA_ISSUER=https://your-domain.okta.comOnly providers listed in AUTH_PROVIDERS appear on the login page.
Lock down account creation
Section titled “Lock down account creation”AUTH_DISABLE_SIGNUP and AUTH_DISABLE_INVITES are required booleans and must be set
explicitly on every deployment — the server refuses to start if either is missing.
AUTH_DISABLE_SIGNUP=trueblocks self-service registration. Users who already have an account, and users provisioned just-in-time through Okta, can still sign in.AUTH_DISABLE_INVITES=trueblocks organization invitations from being created, resent, or accepted.
For a pure SSO-only posture where accounts exist only because Okta provisioned them, set
both to true:
AUTH_DISABLE_SIGNUP=trueAUTH_DISABLE_INVITES=trueSetting both to true without an Okta provider is rejected at startup, because it would
leave no way for any account to be created.
Provisioning details
Section titled “Provisioning details”- Provider-driven login. The login page shows exactly the providers enabled in deployment config.
- Existing users are unaffected. Email, Google, and GitHub accounts continue to work when their providers remain enabled. Enabling Okta only adds a login option.
Deprovisioning
Section titled “Deprovisioning”When a user is deactivated in your identity provider, it stops issuing tokens for them, so they can no longer sign in to superglue. Their existing superglue account and any active sessions are not automatically revoked — remove the user from Control Panel → Organization if you need to terminate access immediately.