Skip to main content
LiveEnterprise SSO

Live for Enterprise SSO-entitled workspaces

OIDC SSO

Use this guide to configure OpenID Connect sign-in for an Enterprise SSO-entitled workspace.

Cadence uses the OIDC authorization code flow with a confidential client. Your identity provider authenticates the user, then Cadence maps the verified identity claims to the user record in the entitled workspace.

Before you start

  • Confirm the workspace is entitled for Enterprise SSO.
  • Confirm you have Cadence owner or org admin access.
  • Confirm you have identity provider admin access.
  • Keep one customer-owned break-glass owner/admin account outside routine IdP policy changes.
  • Make sure users who need access already exist as active Cadence users unless your workspace has an approved JIT provisioning rollout.

Create the OIDC app

Create a web application or confidential client in your identity provider.

IdP settingValue
Application typeWeb application / confidential client
Grant typeAuthorization code
Response typeCode
Client authenticationClient secret
Redirect URIhttps://app.cadencehr.ai/api/auth/sso/callback
Scopesopenid profile email

Do not use wildcard redirect URIs. Cadence validates the callback path exactly.

Configure Cadence

  1. Open Admin.
  2. Select SSO.
  3. Choose OIDC if your workspace shows multiple SSO protocols.
  4. Enter the issuer URL.
  5. Enter the discovery URL, usually https://<idp-domain>/.well-known/openid-configuration.
  6. Enter the client ID.
  7. Enter the client secret.
  8. Confirm the scopes are openid profile email unless Cadence Support gives you a narrower tenant-specific value.
  9. Save the draft.

Cadence stores the client secret encrypted and shows only a redacted secret state after save. To rotate the secret, paste the new secret, save the draft, and re-run validation and test sign-in.

Attribute mapping

Use the default OIDC claim names unless your identity provider uses custom claims.

Cadence fieldDefault claimNotes
Email claimemailMust match the Cadence user email address.
First name claimgiven_nameUsed for profile display where available.
Last name claimfamily_nameUsed for profile display where available.
Groups claimgroupsReserved for group-aware rollout work; do not treat SCIM provisioning as live.

If a test sign-in fails because the user cannot be matched, confirm the IdP sends the expected email claim and that the corresponding Cadence user is active in the same workspace.

Validate metadata

After saving the draft, select Validate metadata.

Cadence checks that:

  • the discovery URL is reachable,
  • the discovery document includes authorization, token, and JWKS endpoints,
  • the JWKS endpoint can be read.

Do not enable SSO until validation passes.

Test sign-in

  1. Select Test sign-in.
  2. Open the generated test window.
  3. Complete the identity provider sign-in flow with a test user.
  4. Confirm the browser returns to Cadence through /api/auth/sso/callback.
  5. Return to Admin > SSO and confirm the test status is passed.

The test user should be an active Cadence user. If JIT provisioning is available in your workspace, confirm the new user lands with the expected member-level access before adding broader groups.

Enable SSO

Enable SSO only after metadata validation and test sign-in both pass.

  1. Turn on Enable SSO.
  2. Save activation controls.
  3. Ask a non-admin pilot user to sign in from a fresh browser session.
  4. Confirm the user lands in the expected workspace after reload.
  5. Keep the break-glass owner/admin account available until the rollout is complete.

Enforce SSO

Enforcement requires enabled SSO plus a successful validation and test sign-in. Turn on Enforce SSO only after a small pilot group signs in successfully and your break-glass plan is documented.

Use enforcement to require IdP login for normal workspace access. Preserve a customer-owned break-glass account for recovery if the IdP app, policy, or certificate changes unexpectedly.

Troubleshooting

SymptomLikely causeAction
Metadata validation failsDiscovery URL is wrong, unreachable, or missing required endpointsRe-copy the .well-known/openid-configuration URL and confirm the IdP app is published.
Test sign-in does not return to CadenceRedirect URI mismatchConfirm the IdP redirect URI is exactly https://app.cadencehr.ai/api/auth/sso/callback.
Sign-in returns but access is deniedEmail claim does not match an active Cadence userConfirm the email claim and active user record in Cadence.
Users land in the wrong access levelJIT or group mapping assumptions are ahead of rolloutCreate or update users through the supported admin workflow; do not treat SCIM as live.
Admin is locked outBreak-glass path was not preserved or IdP policy changedUse the documented customer-owned break-glass owner/admin account, then correct the IdP app before enforcing again.

Current boundary

  • OIDC SSO is live for Enterprise SSO-entitled workspaces.
  • SSO enforcement is live only after validation and a successful test sign-in.
  • SCIM provisioning remains roadmap-labeled; do not configure a SCIM app until Cadence publishes live SCIM setup guidance.