SysTeam/Docs/SSO

Single Sign-On (SSO)

Sign in to SysTeam HealthChecks using your existing identity provider. Supports GitHub, Google, SAML 2.0, and OpenID Connect (OIDC).

Overview

SSO allows users to authenticate using external identity providers instead of (or in addition to) a local password. Benefits include:

  • Centralized access control — manage who can access HealthChecks from your IdP
  • Reduced credential fatigue — one fewer password to remember
  • Compliance — enforce organization-wide authentication policies
  • Just-In-Time provisioning — auto-create accounts and org memberships on first SSO login

Supported Providers

ProviderProtocolUse Case
GitHubOAuth 2.0Developer teams using GitHub
GoogleOAuth 2.0 / OIDCGoogle Workspace organizations
SAML 2.0SAMLEnterprise IdPs (Okta, Azure AD, OneLogin, etc.)
OIDCOpenID ConnectAny OIDC-compatible provider (Keycloak, Auth0, etc.)

Logging In with SSO

If your administrator has configured SSO providers, you will see SSO buttons on the login page below the standard email/password form.

  1. Go to the Login page
  2. Click the SSO button for your provider (e.g., "Continue with GitHub")
  3. You will be redirected to your identity provider to authenticate
  4. After successful authentication, you will be redirected back to HealthChecks and logged in

Tip

If you have two-factor authentication (2FA) enabled on your HealthChecks account, you will be prompted for your 2FA code after the SSO redirect, adding an extra layer of security.

First-Time SSO Login

What happens on your first SSO login depends on the provider configuration:

  • Existing account with same email: Your SSO identity is automatically linked to your existing HealthChecks account.
  • No existing account + auto-registration enabled: A new account is created automatically. You will be an SSO-only user (no password set).
  • No existing account + auto-registration disabled: Login is rejected. An administrator must create your account first.

SSO-Only Accounts

Users created via SSO auto-registration do not have a password. They can only log in via SSO. To also enable password login, go to Profile and set a password.

Linking & Unlinking SSO Accounts

You can link multiple SSO providers to your account, allowing you to sign in with any of them.

Linking an SSO Account

  1. Go to Profile in the sidebar
  2. Scroll to the Linked Accounts section
  3. Click Link next to the provider you want to connect
  4. Authenticate with the provider
  5. You will be redirected back and the account will be linked

Unlinking an SSO Account

  1. Go to ProfileLinked Accounts
  2. Click Unlink next to the provider you want to disconnect

Cannot Unlink Last SSO Without Password

If you are an SSO-only user (no password set), you cannot unlink your last SSO provider. This prevents you from being locked out of your account. Set a password first before unlinking.

Administrator Setup

SSO providers are managed by superadmins via the admin panel. Each provider needs to be configured with credentials from the identity provider.

Accessing the Admin Panel

  1. Log in as a superadmin user
  2. Go to AdminSSO Providers in the sidebar
  3. Click Add Provider to create a new SSO provider

Common Fields

FieldDescription
NameDisplay name shown to users (e.g., "Corporate GitHub")
SlugURL-safe identifier (e.g., "github-corp"). Must be unique.
TypeGITHUB, GOOGLE, SAML, or OIDC
EnabledWhether users can see and use this provider
Auto-Create UsersCreate accounts for new SSO users automatically
Allowed DomainsRestrict SSO to specific email domains (e.g., "company.com")
OrganizationOptional — scope this provider to a specific organization

Configuring GitHub SSO

  1. Go to GitHub Developer Settings → OAuth Apps → New OAuth App
  2. Fill in the application details:
    • Application name: SysTeam HealthChecks
    • Homepage URL: Your HealthChecks domain (e.g., https://checks.example.com)
    • Authorization callback URL: https://checks.example.com/auth/sso/callback/github
  3. After creating the app, note the Client ID and generate a Client Secret

GitHub SSO Provider Configuration

Type:GITHUB
Name:GitHub
Slug:github
Client ID:Ov23li...your_client_id
Client Secret:your_client_secret_from_github
Scopes:read:user user:email

Tip

The callback URL must exactly match what you configured in GitHub. The format is:{your-domain}/auth/sso/callback/{slug}

Configuring Google SSO

  1. Go to the Google Cloud Console → APIs & Services → Credentials
  2. Click Create CredentialsOAuth 2.0 Client ID
  3. Choose Web application as the application type
  4. Under Authorized redirect URIs, add: https://checks.example.com/auth/sso/callback/google
  5. Note the Client ID and Client Secret

Google SSO Provider Configuration

Type:GOOGLE
Name:Google
Slug:google
Client ID:your_client_id.apps.googleusercontent.com
Client Secret:your_client_secret
Scopes:openid email profile

Tip

To restrict access to your Google Workspace domain, set Allowed Domains to your domain (e.g., company.com). Only users with that email domain will be allowed to log in.

Configuring SAML 2.0

SAML 2.0 is commonly used with enterprise identity providers like Okta, Azure AD, OneLogin, and ADFS.

Step 1: Get SP Metadata

After creating the SAML provider in the admin panel, download the SP (Service Provider) metadata from:

SP Metadata URL
GET /api/auth/sso/saml/{slug}/metadata

Import this XML into your IdP, or manually configure:

  • ACS URL: https://checks.example.com/api/auth/sso/saml/callback/{slug}
  • Entity ID: https://checks.example.com

Step 2: Configure IdP Details

From your IdP, obtain:

SAML SSO Provider Configuration

Type:SAML
Name:Okta SAML
Slug:okta-saml
IdP Entity ID:https://your-okta-domain.okta.com/...
IdP SSO URL:https://your-okta-domain.okta.com/app/.../sso/saml
IdP SLO URL:(optional) Single Logout URL
IdP X.509 Certificate:MIIDpDCCAoygAwIBAgI...

Attribute Mapping

SAML providers can customize which IdP attributes map to HealthChecks fields using the Attribute Mapping JSON field. Defaults:

Default attribute mapping
{
  "email": "email",
  "name": "name",
  "first_name": "firstName",
  "last_name": "lastName"
}

Configuring OpenID Connect (OIDC)

OIDC is supported for any provider that implements the OpenID Connect standard. If your provider has a .well-known/openid-configuration endpoint, configuration is simplified — just provide the discovery URL.

OIDC Provider Configuration (with Discovery)

Type:OIDC
Name:Keycloak
Slug:keycloak
Client ID:your_client_id
Client Secret:your_client_secret
Discovery URL:https://keycloak.example.com/realms/myrealm/.well-known/openid-configuration
Scopes:openid email profile

If your provider does not support auto-discovery, you can manually specify the URLs:

OIDC Provider Configuration (Manual)

Type:OIDC
Authorize URL:https://idp.example.com/authorize
Token URL:https://idp.example.com/token
UserInfo URL:https://idp.example.com/userinfo

Just-In-Time (JIT) Provisioning

When an SSO provider is scoped to an organization, JIT provisioning can automatically add new users to that organization on their first SSO login.

To enable JIT provisioning:

  1. Go to Organization Settings
  2. Enable SSO JIT Provisioning
  3. Set the Default SSO Role (e.g., MEMBER, VIEWER)

Users who log in via the org-scoped SSO provider will automatically be added to the organization with the default role, without needing a manual invite.

Organization SSO Policies

Organization admins can configure SSO policies in Organization Settings:

SettingDescription
Require SSOForce all org members to authenticate via SSO (disables password login for the org)
Allowed SSO ProvidersRestrict which SSO providers org members can use
SSO Auto-ProvisionAutomatically provision org access for SSO users
JIT ProvisioningAuto-add users to the organization on first SSO login
Default SSO RoleRole assigned to JIT-provisioned users (VIEWER, MEMBER, ADMIN)

Warning

Enabling Require SSO will prevent org members from logging in with a password. Make sure at least one SSO provider is configured and working before enabling this.

Security Considerations

  • State tokens — All SSO flows use cryptographic state tokens (CSRF protection) that expire after 10 minutes
  • Encrypted secrets — Client secrets are encrypted at rest using Fernet symmetric encryption
  • Domain restrictions — Use Allowed Domains to prevent unauthorized email domains from logging in
  • MFA + SSO — Users with 2FA enabled will be prompted after SSO redirect for additional security
  • Unlink safety — SSO-only users cannot unlink their last provider (prevents lockout)
  • PKCE support — State tokens can store code verifiers for PKCE-enabled flows

SSO API Endpoints

The SSO system exposes the following REST API endpoints:

MethodEndpointAuthDescription
GET/api/auth/sso/providersPublicList enabled SSO providers
GET/api/auth/sso/init/{slug}PublicGet authorization URL
POST/api/auth/sso/callback/{slug}PublicExchange code for session
POST/api/auth/sso/link/{slug}UserLink SSO account
DELETE/api/auth/sso/unlink/{slug}UserUnlink SSO account
GET/api/auth/sso/me/identitiesUserList linked SSO identities
GET/api/auth/sso/saml/{slug}/metadataPublicSP metadata XML
Example: Initialize SSO Login
# Get the authorization URL
curl https://checks.example.com/api/auth/sso/init/github

# Response:
{
  "authorize_url": "https://github.com/login/oauth/authorize?client_id=...&state=...",
  "state": "abc123..."
}
Example: Complete SSO Callback
# Frontend POSTs code + state after redirect
curl -X POST https://checks.example.com/api/auth/sso/callback/github \
  -H "Content-Type: application/json" \
  -d '{"code": "code_from_provider", "state": "abc123..."}'

# Response (success):
{
  "message": "SSO login successful",
  "token_type": "cookie",
  "expires_in": 900
}

# Response (MFA required):
{
  "mfa_required": true,
  "mfa_token": "eyJ..."
}

Next Steps