Skip to main content
SensorZone supports enterprise Single Sign-On through Stytch B2B, allowing your team to authenticate using your organization’s existing identity provider (IdP). Once configured, users sign in with their corporate credentials — no separate SensorZone password required.

Supported authentication methods

SensorZone supports multiple authentication paths. SSO is the enterprise option, but all methods are available depending on your organization’s needs.
MethodHow it worksBest for
SAML 2.0 SSOFederated login via your IdP (Okta, Azure AD, etc.)Enterprise organizations with centralized identity management
OIDC SSOOpenID Connect flow via your IdPOrganizations preferring OIDC over SAML
OAuthSign in with Google or Microsoft accountsTeams using Google Workspace or Microsoft 365 without full SSO
Magic LinkPasswordless email linkQuick access without managing passwords
Email + PasswordTraditional credentialsIndividual users or organizations without an IdP

Supported identity providers

SensorZone SSO works with any SAML 2.0 or OIDC-compliant identity provider. Tested providers include:

Okta

SAML, OIDC, and SCIM provisioning

Microsoft Azure AD

SAML and OIDC via Entra ID

Google Workspace

SAML via Google Admin Console

OneLogin

SAML and OIDC

Ping Identity

SAML and OIDC

Other SAML/OIDC

Any standards-compliant provider

How SSO works

Before diving into setup, here’s what happens when a user signs in via SSO: Key points:
  • SensorZone never sees the user’s IdP password
  • Authentication is handled entirely by your identity provider
  • Stytch acts as a bridge between SensorZone and your IdP
  • Users are matched by email address and email domain

Prerequisites

Before starting the SSO setup, ensure you have:
1

SensorZone admin access

You need an admin account in SensorZone to configure SSO settings for your brand.
2

IdP admin access

You need admin access to your identity provider (Okta, Azure AD, etc.) to create a SAML or OIDC application.
3

Email domain ownership

Your organization’s email domain (e.g., yourcompany.com) must be confirmed. SSO will only work for users whose email addresses match this domain.
If you don’t have admin access to your IdP, work with your IT team to complete the IdP-side configuration. This guide provides all the values they’ll need.

Setup guide: SAML 2.0

SAML is the most common enterprise SSO protocol. Follow these steps for any SAML-compatible IdP.

Step 1: Get SensorZone’s SAML details

Contact your SensorZone account manager or support team to obtain:
ValueDescription
ACS URL (Assertion Consumer Service)The URL where your IdP sends the SAML response. Format: https://login.sensorzone.io/v1/b2b/sso/callback/{connection-id}
SP Entity IDSensorZone’s identifier as a Service Provider. Same as the ACS URL
Connection IDYour unique SAML connection identifier (provided by SensorZone)

Step 2: Create a SAML application in your IdP

  1. In Okta Admin Console, go to Applications > Applications
  2. Click Create App Integration
  3. Select SAML 2.0, click Next
  4. General Settings:
    • App name: SensorZone
    • App logo: (optional — download from your SensorZone settings)
  5. SAML Settings:
    • Single sign-on URL: Paste the ACS URL from Step 1
    • Audience URI (SP Entity ID): Paste the SP Entity ID from Step 1
    • Name ID format: EmailAddress
    • Application username: Email
  6. Attribute Statements (required):
    NameValue
    emailuser.email
    firstNameuser.firstName
    lastNameuser.lastName
  7. Click Next, then Finish
  8. Go to the Sign On tab and copy the IdP metadata URL (or download the metadata XML)
  9. Go to the Assignments tab and assign users or groups who should have access
  1. In Azure Portal, go to Azure Active Directory > Enterprise applications
  2. Click New application > Create your own application
  3. Name: SensorZone, select Integrate any other application you don’t find in the gallery
  4. Go to Single sign-on > SAML
  5. Basic SAML Configuration:
    • Identifier (Entity ID): Paste the SP Entity ID from Step 1
    • Reply URL (ACS URL): Paste the ACS URL from Step 1
  6. Attributes & Claims:
    • emailuser.mail
    • firstNameuser.givenname
    • lastNameuser.surname
  7. Download the Federation Metadata XML from Section 3
  8. Assign users and groups under the Users and groups tab
  1. In Google Admin Console, go to Apps > Web and mobile apps
  2. Click Add app > Add custom SAML app
  3. Name: SensorZone
  4. Copy the SSO URL, Entity ID, and download the Certificate (you’ll need these for Step 3)
  5. Service Provider Details:
    • ACS URL: Paste the ACS URL from Step 1
    • Entity ID: Paste the SP Entity ID from Step 1
    • Name ID format: EMAIL
    • Name ID: Basic Information > Primary email
  6. Attribute mapping:
    • emailBasic Information > Primary email
    • firstNameBasic Information > First name
    • lastNameBasic Information > Last name
  7. Click Finish
  8. Turn on the app for the relevant organizational units
  1. In OneLogin Admin, go to Applications > Add App
  2. Search for SAML Custom Connector (Advanced) and select it
  3. Name: SensorZone
  4. Under Configuration:
    • ACS (Consumer) URL: Paste the ACS URL from Step 1
    • SAML Audience: Paste the SP Entity ID from Step 1
    • SAML nameID format: Email
  5. Under Parameters, add:
    • emailEmail
    • firstNameFirst Name
    • lastNameLast Name
  6. Under SSO, copy the Issuer URL and SAML 2.0 Endpoint (HTTP)
  7. Download the X.509 Certificate
  8. Save, then assign users under Access
For any SAML 2.0-compliant IdP, you need to configure:
  1. ACS URL / Reply URL: The ACS URL provided by SensorZone
  2. Entity ID / Audience: The SP Entity ID provided by SensorZone
  3. Name ID format: EmailAddress or email
  4. Attribute statements: Map email, firstName, and lastName to your directory’s fields
  5. Signing: Ensure both Response and Assertion are signed with RSA_SHA256
Collect the following from your IdP to send back to SensorZone:
  • IdP Entity ID
  • IdP SSO URL
  • X.509 Certificate (PEM format)

Step 3: Send your IdP metadata to SensorZone

After creating the SAML app in your IdP, send the following to your SensorZone contact:
  • IdP Metadata URL (preferred) — or the metadata XML file
  • IdP Entity ID
  • IdP SSO URL
  • X.509 Certificate (PEM format)
SensorZone will configure the connection and provide you with confirmation when SSO is ready to test.

Step 4: Configure SSO in SensorZone

Once SensorZone has configured the Stytch connection, an admin can complete the setup:
  1. Navigate to Settings > SSO in the SensorZone sidebar
  2. Toggle Enable SSO on
  3. Select your SSO Provider (Okta, Azure AD, Google Workspace, etc.)
  4. Enter your Email Domain (e.g., yourcompany.com)
  5. Enter the SAML Connection ID provided by SensorZone support
  6. Optionally enable Auto-provision users (see User Provisioning below)
  7. Click Save
  8. Click Test Connection to verify the setup
The Email Domain must exactly match the domain portion of your users’ email addresses. For example, if users log in as jane@acme.com, set the domain to acme.com. Users with email addresses on different domains will not be able to authenticate via SSO.

Step 5: Test the connection

  1. Click Test Connection on the SSO settings page, or
  2. Open an incognito/private browser window
  3. Navigate to your SensorZone login page
  4. Click Sign in with SSO (or the SSO tab on the login page)
  5. You should be redirected to your IdP login page
  6. Authenticate with your corporate credentials
  7. You should be redirected back to SensorZone and logged in
Use an incognito window for testing so existing sessions don’t interfere. If the test fails, check the Troubleshooting section below.

Setup guide: OIDC

If your organization prefers OpenID Connect over SAML, SensorZone supports OIDC-based SSO as well.

OIDC configuration

1

Create an OIDC application in your IdP

Create a Web Application with Authorization Code grant type. Set the redirect URI to the value provided by SensorZone (format: https://login.sensorzone.io/v1/b2b/sso/callback/{oidc-connection-id}).
2

Collect OIDC credentials

From your IdP, collect:
  • Client ID
  • Client Secret
  • Issuer URL (e.g., https://your-domain.okta.com/oauth2/default)
Ensure the following scopes are available: openid, profile, email.
3

Send credentials to SensorZone

Provide the Client ID, Client Secret, and Issuer URL to your SensorZone contact. They will configure the OIDC connection.
4

Complete setup in SensorZone

Follow the same steps as SAML Step 4 above, entering the OIDC Connection ID instead of the SAML Connection ID.

User provisioning

Manual provisioning

By default, users must be created in SensorZone before they can sign in via SSO. An admin invites users via the Users page, and the user completes setup. When they subsequently sign in via SSO, their existing account is matched by email address.

Auto-provisioning

When Auto-provision users is enabled in SSO settings, SensorZone automatically creates a user account the first time someone authenticates via SSO. The user’s name and email are pulled from the IdP’s SAML assertion or OIDC profile. Auto-provisioned users are:
  • Assigned brand-level access by default
  • Associated with your organization automatically
  • Able to sign in immediately without an invitation
Auto-provisioning only creates users whose email domain matches your configured SSO domain. This prevents unauthorized account creation.

SCIM provisioning (advanced)

For organizations that need automated user lifecycle management, SensorZone supports SCIM 2.0 (System for Cross-domain Identity Management). SCIM enables:
  • Automatic user creation when assigned in your IdP
  • Attribute synchronization when user details change
  • Automatic deactivation when users are removed from the IdP
To set up SCIM:
1

Request SCIM credentials

Contact SensorZone support to obtain:
  • SCIM Base URL: https://api.stytch.com/v1/b2b/scim/{scim-connection-id}
  • SCIM Bearer Token: A secure token for authenticating SCIM requests
2

Configure SCIM in your IdP

In your IdP’s provisioning settings:
  • SCIM connector base URL: Enter the SCIM Base URL
  • Authentication mode: OAuth Bearer Token
  • Bearer token: Enter the SCIM Bearer Token
  • Unique identifier: userName
  • Enable: Create Users, Update User Attributes, Deactivate Users
3

Map attributes

Map your IdP’s user attributes:
IdP AttributeSCIM Attribute
EmailuserName and emails[0].value
First Namename.givenName
Last Namename.familyName
PhonephoneNumbers[0].value
Activeactive
4

Test provisioning

Assign a test user in your IdP and verify they appear in SensorZone within a few minutes.

User login experience

Once SSO is configured, here’s what your users will see:

Login page

The SensorZone login page offers three tabs:
  1. Password — Email and password (default)
  2. Magic Link — Passwordless email link
  3. SSO / OAuth — Corporate SSO and social login (Google, Microsoft)
Users with SSO-enabled organizations can click the SSO tab and authenticate through their IdP.

Step-up authentication

For added security, SensorZone may require step-up authentication (an email verification code) when:
  • The user hasn’t logged in for more than 14 days
  • The login is from a new IP address
  • The login is from a new device or browser
This applies to all authentication methods including SSO. Users receive a one-time code via email that they enter to complete sign-in.
Enable Remember me during login to reduce the frequency of step-up authentication prompts on trusted devices.

Linking additional accounts

Users can link multiple authentication methods to their account. From Settings > OAuth Accounts, users can:
  • Link their Google account
  • Link their Microsoft account
  • View and unlink existing connections
This allows users to sign in via SSO at work and via Google/Microsoft when working remotely.

Admin SSO settings reference

The SSO settings page is available at Settings > SSO for administrators.
FieldDescriptionRequired
Enable SSOMaster toggle to enable/disable SSO for your organizationYes
SSO ProviderYour identity provider: Okta, Azure AD, Google Workspace, OneLogin, Ping Identity, or OtherYes
Email DomainThe email domain for SSO users (e.g., yourcompany.com). Only users with this email domain can authenticate via SSOYes
SAML Connection IDThe Stytch SAML connection identifier (provided by SensorZone)Yes (for SAML)
OIDC Connection IDThe Stytch OIDC connection identifier (provided by SensorZone)Yes (for OIDC)
SCIM Connection IDThe Stytch SCIM connection identifier for automated provisioningNo
Auto-provision usersAutomatically create SensorZone accounts for new SSO usersNo

Troubleshooting

Likely cause: The email domain doesn’t match.SensorZone validates that the email address returned by your IdP matches your configured SSO domain. Check:
  1. The Email Domain in SensorZone SSO settings matches your users’ email domain exactly
  2. Your IdP is sending the correct email attribute in the SAML assertion
  3. The user is assigned to the SensorZone application in your IdP
Likely cause: The SAML/OIDC Connection ID is incorrect or the connection hasn’t been configured yet.Check:
  1. The Connection ID in SensorZone settings matches the value provided by SensorZone support
  2. SSO is enabled (toggle is on)
  3. Contact SensorZone support to verify the connection is active
Likely cause: The user was auto-provisioned but hasn’t been assigned the correct role.Auto-provisioned users receive brand-level access by default. An admin should:
  1. Go to the Users page
  2. Find the new user
  3. Click Edit and assign the appropriate access level
Likely cause: Attribute mapping is not configured in your IdP.SensorZone requires at minimum the email attribute. Verify your IdP sends:
  • email → user’s email address
  • firstName → user’s first name (optional but recommended)
  • lastName → user’s last name (optional but recommended)
Use a SAML debugging tool like the SAML-tracer browser extension to inspect the SAML response.
Likely cause: Not all users are assigned to the application in your IdP.In your IdP:
  1. Go to the SensorZone application’s Assignments tab
  2. Verify the affected users (or their groups) are assigned
  3. Check that user accounts are active in the IdP
SAML certificates have an expiration date (typically 1-3 years). If your SSO stops working unexpectedly:
  1. Check if your IdP’s signing certificate has expired
  2. Generate a new certificate in your IdP
  3. Send the new certificate to SensorZone support for update
  4. Test the connection after the certificate is updated
Check:
  1. The SCIM Bearer Token hasn’t expired or been rotated
  2. The SCIM Base URL is correct
  3. Provisioning is enabled in your IdP (Create, Update, Deactivate are all toggled on)
  4. Test the connector configuration in your IdP’s provisioning settings
  5. Check your IdP’s provisioning logs for error details

Security considerations

Email domain validation

SensorZone validates that the email returned by your IdP matches your configured SSO domain. This prevents users from other organizations from gaining access to your data.

No password storage

When SSO is active, SensorZone never stores or handles your users’ IdP passwords. Authentication is fully delegated to your identity provider.

Organization isolation

Each brand in SensorZone has its own SSO configuration. Users authenticated via SSO are automatically scoped to their organization’s data.

Certificate and token management

  • SAML certificates should be rotated before expiration. Plan certificate renewals with your IdP administrator
  • SCIM tokens should be treated as secrets and rotated periodically
  • API tokens for tester devices are separate from SSO and managed independently

Audit trail

All SSO authentication events are logged, including:
  • Successful sign-ins
  • Failed authentication attempts
  • User provisioning events
  • Domain validation failures

Frequently asked questions

Yes. Enabling SSO does not disable password-based login. Users can sign in using whichever method they prefer. If your security policy requires SSO-only access, contact SensorZone support to disable password login for your brand.
Existing users continue to work normally. When an existing user signs in via SSO for the first time, their account is matched by email address. No data is lost or duplicated.
Yes. Each brand has its own SSO configuration. Brand A can use Okta while Brand B uses Azure AD.
Typically 30-60 minutes for the end-to-end setup:
  • ~15 minutes to create the application in your IdP
  • ~15 minutes for SensorZone support to configure the connection
  • ~15 minutes for testing and verification
SensorZone primarily supports SP-initiated SSO (the user starts at SensorZone and is redirected to the IdP). IdP-initiated flows (starting from the IdP’s app launcher) are supported when the IdP is configured to redirect through the standard callback URL.
Users can be members of multiple brands. The SSO connection determines which brand they’re associated with during authentication. For users who need access to multiple brands, contact SensorZone support.
Yes. MFA is handled by your identity provider. If your IdP requires MFA (e.g., Okta Verify, Microsoft Authenticator), users will be prompted during the IdP authentication step. SensorZone also adds its own step-up authentication for additional security.

Next steps

Settings

Return to general settings and account configuration.

API Reference

Explore the SensorZone API for programmatic access.