Live for Enterprise SSO-entitled workspaces
OIDC SSO
Use this guide to configure OpenID Connect sign-in for an Enterprise SSO-entitled workspace.
Cadence uses the OIDC authorization code flow with a confidential client. Your identity provider authenticates the user, then Cadence maps the verified identity claims to the user record in the entitled workspace.
Before you start
- Confirm the workspace is entitled for Enterprise SSO.
- Confirm you have Cadence owner or org admin access.
- Confirm you have identity provider admin access.
- Keep one customer-owned break-glass owner/admin account outside routine IdP policy changes.
- Make sure users who need access already exist as active Cadence users unless your workspace has an approved JIT provisioning rollout.
Create the OIDC app
Create a web application or confidential client in your identity provider.
| IdP setting | Value |
|---|---|
| Application type | Web application / confidential client |
| Grant type | Authorization code |
| Response type | Code |
| Client authentication | Client secret |
| Redirect URI | https://app.cadencehr.ai/api/auth/sso/callback |
| Scopes | openid profile email |
Do not use wildcard redirect URIs. Cadence validates the callback path exactly.
Configure Cadence
- Open Admin.
- Select SSO.
- Choose OIDC if your workspace shows multiple SSO protocols.
- Enter the issuer URL.
- Enter the discovery URL, usually
https://<idp-domain>/.well-known/openid-configuration. - Enter the client ID.
- Enter the client secret.
- Confirm the scopes are
openid profile emailunless Cadence Support gives you a narrower tenant-specific value. - Save the draft.
Cadence stores the client secret encrypted and shows only a redacted secret state after save. To rotate the secret, paste the new secret, save the draft, and re-run validation and test sign-in.
Attribute mapping
Use the default OIDC claim names unless your identity provider uses custom claims.
| Cadence field | Default claim | Notes |
|---|---|---|
| Email claim | email | Must match the Cadence user email address. |
| First name claim | given_name | Used for profile display where available. |
| Last name claim | family_name | Used for profile display where available. |
| Groups claim | groups | Reserved for group-aware rollout work; do not treat SCIM provisioning as live. |
If a test sign-in fails because the user cannot be matched, confirm the IdP sends the expected email claim and that the corresponding Cadence user is active in the same workspace.
Validate metadata
After saving the draft, select Validate metadata.
Cadence checks that:
- the discovery URL is reachable,
- the discovery document includes authorization, token, and JWKS endpoints,
- the JWKS endpoint can be read.
Do not enable SSO until validation passes.
Test sign-in
- Select Test sign-in.
- Open the generated test window.
- Complete the identity provider sign-in flow with a test user.
- Confirm the browser returns to Cadence through
/api/auth/sso/callback. - Return to Admin > SSO and confirm the test status is passed.
The test user should be an active Cadence user. If JIT provisioning is available in your workspace, confirm the new user lands with the expected member-level access before adding broader groups.
Enable SSO
Enable SSO only after metadata validation and test sign-in both pass.
- Turn on Enable SSO.
- Save activation controls.
- Ask a non-admin pilot user to sign in from a fresh browser session.
- Confirm the user lands in the expected workspace after reload.
- Keep the break-glass owner/admin account available until the rollout is complete.
Enforce SSO
Enforcement requires enabled SSO plus a successful validation and test sign-in. Turn on Enforce SSO only after a small pilot group signs in successfully and your break-glass plan is documented.
Use enforcement to require IdP login for normal workspace access. Preserve a customer-owned break-glass account for recovery if the IdP app, policy, or certificate changes unexpectedly.
Troubleshooting
| Symptom | Likely cause | Action |
|---|---|---|
| Metadata validation fails | Discovery URL is wrong, unreachable, or missing required endpoints | Re-copy the .well-known/openid-configuration URL and confirm the IdP app is published. |
| Test sign-in does not return to Cadence | Redirect URI mismatch | Confirm the IdP redirect URI is exactly https://app.cadencehr.ai/api/auth/sso/callback. |
| Sign-in returns but access is denied | Email claim does not match an active Cadence user | Confirm the email claim and active user record in Cadence. |
| Users land in the wrong access level | JIT or group mapping assumptions are ahead of rollout | Create or update users through the supported admin workflow; do not treat SCIM as live. |
| Admin is locked out | Break-glass path was not preserved or IdP policy changed | Use the documented customer-owned break-glass owner/admin account, then correct the IdP app before enforcing again. |
Current boundary
- OIDC SSO is live for Enterprise SSO-entitled workspaces.
- SSO enforcement is live only after validation and a successful test sign-in.
- SCIM provisioning remains roadmap-labeled; do not configure a SCIM app until Cadence publishes live SCIM setup guidance.