SSO overview
How Qeet ID does enterprise SSO — SAML 2.0 (SP and IdP), SCIM provisioning, and LDAP — with pointers to the Enterprise section.
Qeet ID is both an OIDC provider and a SAML provider, and it consumes external IdPs too. That gives you the full enterprise federation story — open-source and not behind an SSO tax. This page is the map; the deep dives live in Enterprise and OIDC/OAuth provider.
The two directions of SSO
Consume external IdPs (SAML SP)
Let your customers' employees sign in with their own Okta / Entra ID / Google Workspace via SAML, with JIT provisioning.
Be an SSO source (SAML IdP)
Qeet ID acts as the IdP: register downstream SPs, publish metadata, and serve SP-initiated and IdP-initiated SSO from the hosted-login session.
OIDC provider
Discovery, dynamic client registration, Authorization Code + PKCE, hosted login & consent, and ES256 ID tokens.
Provisioning & directories
SCIM 2.0 (Users + Groups)
Okta/Entra-style provisioning, deprovisioning, and PatchOp group-membership sync, with per-tenant bearer tokens.
LDAP / AD
Bind-based login plus connection CRUD and test-bind.
No SSO tax
SAML (both directions), SCIM Users + Groups, and LDAP are part of the platform — not paywalled behind an "enterprise" tier. Earlier docs implied SAML/SCIM weren't available; both are fully implemented today.
Where the pieces live
| Capability | Section |
|---|---|
| SAML SP (consume IdPs) | Enterprise → SAML SP |
| SAML IdP (be a source) | Enterprise → SAML IdP |
| SCIM Users + Groups | Enterprise → SCIM |
| LDAP / AD | Enterprise → LDAP |
| OIDC/OAuth provider | OIDC/OAuth provider |
| Org-level roles & groups | Authorization → Group roles |