Enterprise Fleet SSO Setup
SigmaShake Fleet supports OIDC and SAML 2.0 single sign-on for enterprise organizations. SSO allows your team to authenticate into the Fleet dashboard and the ssg CLI using your existing identity provider.
Supported Providers
| Provider | Protocol | Status |
|---|---|---|
| Okta | OIDC | ✅ Fully supported |
| Azure AD (Entra ID) | OIDC | ✅ Fully supported |
| Google Workspace | OIDC | ✅ Fully supported |
| OneLogin | SAML 2.0 | ✅ Fully supported |
| Any OIDC-compliant IdP | OIDC | ✅ Generic setup |
| Any SAML 2.0 IdP | SAML 2.0 | ✅ Generic setup |
Prerequisites
Before configuring SSO, ensure you have:
- Enterprise license — SSO is available on the Enterprise plan only
- Fleet enabled — Your organization must have fleet access enabled
- Org admin role — Only
org_adminusers can configure SSO - An active fleet session (via API or an existing SSO flow)
Quick Reference
Replace {SUBDOMAIN} with your organization's slug (e.g., sigmashake) and {ORG_ID} with your org ID (e.g., org_sigmashake). Find these by running ssg fleet status.
Fleet Dashboard URLs
| Setting | Value |
|---|---|
| OIDC Redirect URI | https://{SUBDOMAIN}.fleet.sigmashake.com/api/v1/orgs/{ORG_ID}/sso/oidc/callback |
| OIDC Login URL | https://{SUBDOMAIN}.fleet.sigmashake.com/api/v1/orgs/{ORG_ID}/sso/oidc/login |
| SAML ACS URL | https://{SUBDOMAIN}.fleet.sigmashake.com/api/v1/orgs/{ORG_ID}/sso/saml/acs |
| SAML SP Entity ID | https://{SUBDOMAIN}.fleet.sigmashake.com/api/v1/orgs/{ORG_ID}/sso/saml/metadata |
CLI Local Callback
| Setting | Value |
|---|---|
| CLI Redirect URI | http://127.0.0.1:8399/callback |
Both the Fleet dashboard redirect URI and the CLI redirect URI must be added to your identity provider's app configuration. Without the CLI URI, ssg auth login --sso will fail.
SSO Configuration API
Configure SSO (OIDC)
curl -X PUT https://{SUBDOMAIN}.fleet.sigmashake.com/api/v1/orgs/{ORG_ID}/sso/config \
-H "Authorization: Bearer {SESSION_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"provider": "oidc",
"issuer_url": "https://your-domain.okta.com/oauth2/default",
"client_id": "0oa...",
"client_secret": "your-client-secret"
}'
Configure SSO (SAML)
curl -X PUT https://{SUBDOMAIN}.fleet.sigmashake.com/api/v1/orgs/{ORG_ID}/sso/config \
-H "Authorization: Bearer {SESSION_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"provider": "saml",
"idp_sso_url": "https://your-domain.okta.com/app/.../sso/saml",
"idp_x509_cert": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}'
Test SSO Login
After configuration, navigate to:
https://{SUBDOMAIN}.fleet.sigmashake.com/api/v1/orgs/{ORG_ID}/sso/oidc/login
This will redirect you to your IdP. After authentication, you'll be redirected back to the Fleet agents dashboard with an active session.
CLI Authentication via SSO
Team members can authenticate the ssg CLI using their enterprise IdP:
# Interactive — prompts for issuer URL and client ID
ssg auth login --sso
# Non-interactive — useful for scripting or CI
ssg auth login --sso \
--issuer=https://your-domain.okta.com/oauth2/default \
--client-id=YOUR_CLIENT_ID
# Refresh license after subscription upgrade (no re-login needed)
ssg auth refresh
# Check current auth status
ssg auth status
Set SSG_SSO_ISSUER and SSG_SSO_CLIENT_ID to skip the interactive prompt:
export SSG_SSO_ISSUER=https://your-domain.okta.com/oauth2/default
export SSG_SSO_CLIENT_ID=0oa...
ssg auth login --sso
Provider-Specific Guides
- Okta Setup Guide →
- Azure AD (Entra ID) — Coming soon
- Google Workspace — Coming soon