Ctrl AI

Single Sign-On (SSO)

Configure enterprise SSO with OIDC providers like Okta, Azure AD, and Google Workspace.

Ctrl AI supports enterprise SSO via OpenID Connect (OIDC). This allows your team to sign in with their existing corporate credentials.

Supported Providers

  • Okta
  • Azure Active Directory (Entra ID)
  • Google Workspace
  • Any OIDC-compliant provider
  • SAML (via BoxyHQ SAML Jackson)

Configuration

Set the following environment variables:

SSO_ISSUER_URL=https://your-idp.okta.com
SSO_CLIENT_ID=your-client-id
SSO_CLIENT_SECRET=your-client-secret

Okta Setup

  1. Create a new OIDC application in the Okta admin console
  2. Set the sign-in redirect URI to https://your-domain.com/api/auth/callback/oidc
  3. Copy the client ID, client secret, and issuer URL
  4. Set the environment variables above

Azure AD Setup

  1. Register a new application in Azure Portal > App registrations
  2. Add a redirect URI: https://your-domain.com/api/auth/callback/oidc
  3. Create a client secret
  4. Set SSO_ISSUER_URL to https://login.microsoftonline.com/{tenant-id}/v2.0

Google Workspace Setup

  1. Create OAuth credentials in the Google Cloud Console
  2. Set authorized redirect URI: https://your-domain.com/api/auth/callback/oidc
  3. Set SSO_ISSUER_URL to https://accounts.google.com

Account Linking

When SSO is enabled, users who previously signed in with email or social auth are automatically linked to their SSO account based on email address. No data is lost.

Restricting Access

To restrict sign-in to SSO only (disable email and social auth), remove the corresponding environment variables (AUTH_GITHUB_ID, AUTH_GOOGLE_ID, etc.) and only configure the SSO provider.

LLM Configuration

Configure AI model providers, BYOK, and role-based model selection.

Roles & Permissions

Role-based access control (RBAC) with four hierarchical roles.

On this page

Supported ProvidersConfigurationOkta SetupAzure AD SetupGoogle Workspace SetupAccount LinkingRestricting Access