Set up SSO (SAML 2.0 or OIDC)

MarBoba supports SAML 2.0 and OpenID Connect (OIDC) for single sign-on. This guide walks through the four moving pieces:

1. Add an identity provider at Settings → Identity & Access.
2. Verify your domain so MarBoba routes login attempts to it.
3. Test the connection end-to-end before turning enforcement on.
4. Enforce SSO so password-based login is no longer accepted.

Available on Business and Enterprise plans.

Add an identity provider

1. Settings → Identity & Access → + Identity Provider.
2. Pick SAML 2.0 or OIDC.

SAML 2.0

You’ll need three things from your IdP (Okta, Azure AD, Google Workspace, OneLogin, JumpCloud, etc.):

• Single Sign-On URL (the IdP-side endpoint MarBoba redirects to)
• Issuer / Entity ID
• X.509 signing certificate (PEM or base64-encoded)

Or paste the IdP’s metadata XML and MarBoba parses all three fields automatically.

The screen shows MarBoba’s own ACS (Assertion Consumer Service) URL + Entity ID for the back-side configuration in your IdP.

OIDC

You’ll need:

• Issuer URL (https://... — the OIDC discovery endpoint)
• Client ID
• Client secret

MarBoba auto-discovers authorization_endpoint, token_endpoint, userinfo_endpoint, and jwks_uri from {issuer}/.well-known/openid-configuration.

A scheduled function refreshes JWKS every 6 hours so cert rotations don’t break login.

Verify your domain

You can’t enforce SSO until at least one domain is verified.

1. Settings → Identity & Access → Domains → + Domain.
2. Choose a verification method:

3. Click Verify — for DNS / HTTPS / meta, MarBoba pulls and checks the value; for email, paste the code from the inbox.
4. Verified domains show a green Verified badge.

Test the connection

Don’t enforce SSO yet — test it first.

1. Settings → Identity & Access → click your IdP → Test SSO.
2. A new tab opens to your IdP’s login page. Log in with a non-admin test account in the verified domain.
3. The tab redirects back to MarBoba. The test screen shows:
   • SAML/OIDC assertion validation: ✓
   • User attributes parsed: email, name, group memberships
   • JIT provisioning preview: this is the org / role the user would land in.

If anything’s red, the page shows the upstream error verbatim (SAML signature mismatch, OIDC token expired, etc.) and links to the troubleshooting guide.

Enforce SSO

Once a test user lands successfully:

1. Settings → Identity & Access → Enforcement tab.
2. Set Enforcement mode to Required.
3. Optionally, set Require for these domains to a subset (e.g., enforce for @yourcompany.com but allow contractors at other domains to keep using passwords).
4. Click Save. The change takes effect immediately for new logins; existing sessions are honored until expiration.

After enforcement:

• New users who try to log in with email + password get redirected to your IdP.
• Users in non-enforced domains keep their existing login.
• Org Owners always retain a password-login fallback in case the IdP is down. (Configurable; off by default for the highest enforcement tier.)

SCIM provisioning (optional but recommended)

If your IdP supports SCIM 2.0, also wire that — users get provisioned + deprovisioned automatically, and group memberships sync.

Troubleshooting

• “SAML response signature invalid” — the IdP’s signing cert rotated. Re-paste the metadata XML; MarBoba updates the cert.
• “OIDC token issuer mismatch” — the issuer URL in the config doesn’t match what the token says. Common when the IdP uses a different issuer for tokens vs. the discovery endpoint.
• “User has no MarBoba account” with JIT off — turn on JIT provisioning, or pre-create the user in MarBoba.
• Locked out after enforcement — Owners can use the emergency password-login bypass at apps.marboba.com/owner-bypass (link emailed to all Owners on enforcement-enable).