ComplianceScout.ai
Sign InFree Trial
Single sign-on

Set up SSO into ComplianceScout

ComplianceScout signs users in with enterprise SSO over OpenID Connect (OIDC) or SAML 2.0. Pick your identity provider below, or use the reference values at the bottom for any other compliant IdP.

How it works. A tenant admin creates the connection in ComplianceScout at Settings → SSO. That screen shows the exact Redirect URI, ACS URL, and SP metadata URL for your connection — always copy those in-app values into your IdP rather than typing them. SSO is an Enterprise-tier feature.

OpenID Connect (OIDC)

Okta

Sign in to ComplianceScout with Okta over OpenID Connect.

Auth0

Sign in to ComplianceScout with Auth0 over OpenID Connect.

Google Workspace

Sign in to ComplianceScout with Google Workspace.

JumpCloud

Sign in to ComplianceScout with JumpCloud over OpenID Connect.

SAML 2.0

Microsoft Entra ID (Azure AD)

Sign in to ComplianceScout with Microsoft Entra ID over SAML 2.0.

OneLogin

Sign in to ComplianceScout with OneLogin over SAML 2.0.

Ping Identity (PingOne)

Sign in to ComplianceScout with PingOne over SAML 2.0.

Cisco Duo (Duo SSO)

Sign in to ComplianceScout with Duo Single Sign-On over SAML 2.0.

Any other OIDC or SAML provider

ComplianceScout works with any standards-compliant IdP. These are the values to exchange. The placeholders in <angle brackets> are filled in automatically and shown on the connection screen in Settings → SSO.

OpenID Connect

Give your IdP

Redirect URI (Sign-in redirect URI / Allowed Callback URL)https://<your-app-host>/sso/oidc/callback/<connectionId>

Copy the exact value shown in ComplianceScout → Settings → SSO when you create the connection. Do not hand-type it — most IdPs require an exact match (case and trailing slash included).

Bring back to ComplianceScout

Issuer URLhttps://<your-idp-issuer>

The OIDC issuer for your IdP. ComplianceScout discovers the rest from <issuer>/.well-known/openid-configuration.

Client ID<client-id>
Client Secret<client-secret>

ComplianceScout is a confidential client — always create a Web app type with a secret, never a SPA/public client.

Requested scopes: openid email profile. The email claim is used as the username, so your IdP must release it.

SAML 2.0

Give your IdP

SP Entity ID (Identifier / Audience)urn:guardstream:sp:<tenant_id>

Included in the SP metadata below. Most IdPs can import the metadata URL instead of typing this.

ACS URL (Reply URL / Assertion Consumer Service)https://<your-app-host>/sso/saml/callback/<connectionId>
SP metadata URLhttps://<your-app-host>/sso/saml/metadata/<connectionId>

Contains the SP entity ID, ACS URL, and SP certificate. Import this into your IdP when it supports metadata import — it is the least error-prone path.

Required NameID formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Configure your IdP to send the user's email address as the NameID. ComplianceScout rejects any other NameID format.

Bring back to ComplianceScout

IdP Entity ID (Issuer)<idp-entity-id>
IdP SSO URL (SAML 2.0 endpoint)<idp-sso-url>
IdP signing certificate-----BEGIN CERTIFICATE----- … -----END CERTIFICATE-----

PEM format. Many IdPs also expose an IdP metadata URL that bundles all three values.

The assertion must always be signed. Response signing and assertion encryption are optional per-connection toggles.

Need a provider we haven't listed?

If your IdP speaks OIDC or SAML 2.0, it will work. Our team can help you wire it up.

Talk to an engineerBack to docs