SSO & Authentication
Configure single sign-on (SSO) providers and multi-factor authentication (MFA) for your Inspire installation. The page has two tabs: SSO Providers and Multi-Factor Auth.
Navigate to Settings > SSO & Authentication.
Requires the Admin role. SSO requires the SSO_SAML entitlement (Enterprise plan). MFA requires the MFA entitlement (Professional plan and above).
SSO Providers
SAML 2.0
Connect Inspire to a SAML 2.0 identity provider (IdP) such as Azure AD, Okta, or OneLogin.
- Toggle Enable SAML to on
- Configure the following fields:
| Field | Description | Example |
|---|---|---|
| Entity ID (Issuer) | Your IdP’s entity ID / issuer URL | https://your-idp.example.com |
| Metadata URL | The IdP’s SAML metadata endpoint | https://your-idp.example.com/metadata |
| X.509 Certificate | The IdP’s signing certificate in PEM format | -----BEGIN CERTIFICATE-----... |
- Click Save Changes
The certificate field shows whether a certificate is already stored. You can replace it by pasting a new PEM value, or click “Clear stored certificate” to remove it.
OpenID Connect (OIDC)
Connect Inspire to an OIDC provider such as Azure AD, Auth0, or Google Workspace.
- Toggle Enable OIDC to on
- Configure the following fields:
| Field | Description | Example |
|---|---|---|
| Authority URL | The OIDC authority / issuer URL | https://login.microsoftonline.com/{tenant}/v2.0 |
| Client ID | The application / client ID from your provider | 12345678-abcd-efgh-ijkl-123456789012 |
| Client Secret | The client secret from your provider | (stored securely) |
- Click Save Changes
The client secret is stored encrypted. If a secret is already configured, you can replace it by entering a new value or click “Clear stored secret” to remove it.
You can enable both SAML and OIDC simultaneously. Users will see login options for each configured provider on the sign-in page.
Multi-Factor Authentication (MFA)
Inspire supports TOTP-based (Time-based One-Time Password) two-factor authentication, compatible with authenticator apps like Google Authenticator, Authy, and 1Password.
Enabling MFA
- Switch to the Multi-Factor Auth tab
- Toggle Enable MFA for this tenant to on
- Optionally toggle Require MFA for all users to on
- Click Save Changes
MFA Modes
| Mode | Behaviour |
|---|---|
| Enabled (optional) | Users can set up MFA from their account page. Not enforced. |
| Required | All users must enable MFA before they can access the application. Users without MFA configured are redirected to the setup flow on login. |
User Setup
When MFA is enabled, users set up their authenticator from their account page:
- Navigate to Account (click avatar in the top-right)
- Find the Two-Factor Authentication section
- Scan the QR code with an authenticator app
- Enter the 6-digit code to verify
- Save the recovery codes
Recovery codes are shown once during setup. Users should save them in a secure location. If a user loses access to their authenticator and recovery codes, an Admin must reset their MFA from the user management page.