Skip to main content

Single Sign-On (SSO)

SSO lets your users sign in to TraffiTech-powered apps with the credentials they already have in your corporate identity provider (IdP) - no separate username or password to manage.

How sign-in works

TraffiTech's login form uses an identifier-first flow with Home Realm Discovery (HRD):

  1. The user enters their email (e.g. alice@yourcompany.com).
  2. TraffiTech looks up the email's domain against the list of registered enterprise IdPs.
  3. If the domain matches an IdP, the user is redirected straight to that IdP's sign-in page - they never see a TraffiTech password prompt.
  4. After authenticating with the IdP, the user is redirected back and signed in.
  5. If the domain is not registered, the user is offered the standard password form instead.

Domain matching is exact and case-insensitive. Customers whose users span multiple email domains (e.g. yourcompany.com + yourcompany.onmicrosoft.com) should hand all of them to their TraffiTech administrator during setup.

Supported identity providers

TraffiTech federates with any IdP that speaks OpenID Connect (OIDC). Microsoft Entra ID (Azure AD) is the first-class path with a dedicated guide; other OIDC-compliant providers (Okta, Google Workspace, Keycloak, and so on) are supported under the same flow - contact your TraffiTech administrator to onboard them.

SAML is not currently supported. If your only option is SAML, reach out - we'll scope it with you.

What setup looks like

The customer does the IdP-side work; the TraffiTech administrator completes the registration on our side.

  1. Customer: register a new application in the IdP, using the TraffiTech callback URL as the redirect URI:

    https://oidc.traffitech.com/interaction/federated/callback

  2. Customer: collect the IdP credentials (for Azure: tenant ID, client ID, client secret) and the list of email domains that should auto-route to this IdP.

  3. Customer: hand the credentials and domain list to the TraffiTech administrator.

  4. TraffiTech administrator: registers the IdP and enables it.

  5. Customer: tests sign-in with a work email from one of the registered domains.

Full step-by-step instructions live in the IdP-specific guides — see Microsoft Entra ID (Azure AD) SSO.

SSO vs SCIM

SSO and SCIM are complementary but independent:

  • SSO lets a user sign in with their existing IdP credentials - the account in TraffiTech is created (or linked) on first login.
  • SCIM is a scheduled push from your IdP that keeps user accounts, attributes, and deactivations in sync proactively - it runs whether users log in or not.

Most organizations want both. See the User Provisioning (SCIM) overview for provisioning.

Next steps