This page provides documentation on integrating an Identity Provider (IdP) with Unique's authentication system, enabling a seamless and secure SSO experience for the users. Unique uses Zitadel as an Identity and Access Management (IAM) solution and various IdPs can be connected to it to allow users to login via Single Sign-On.

Supported Identity Providers

Unique supports all the IDPs that Zitadel supports in the version that is deployed on the environment where SSO will be setup. The list of supported identity providers can be found in Zitadel’s documentation in the “Configuring IdP Providers” section.

This documentation includes a guide for setting up SSO with Microsoft Entra ID, Generic OIDC and SAML, and will be expanded in the future with guides for other providers as needed.

Microsoft Entra ID (OIDC)

Prerequisites

An App Registration needs to be created in Microsoft Azure. This can be done in Azure under App registrations > New registrations.

Configure the following:

• Choose a name (e.g.: “Unique FinanceGPT”)

• Select who should have access to this application

• Redirect URL → select “Web” and enter the callback URL for the environment you’re running on

After the application has been registered, create a Client Secret by navigating to “Certificates & Secrets” and copy the value of the secret. The secret is only visible once and is needed in order to setup SSO with Unique.

Now all the information required to setup SSO for the Unique solution using Microsoft Entra ID (OIDC) is available.

These are the required values that are needed to setup SSO.

• Client ID - (found under “Application (client) ID”)

• Client Secret - (copied after creation)

• Tenant ID - (found under “Directory (tenant) ID”)

If you are running on a Unique managed environment (Multi- or Single-tenant), then this is all you need. Provide these values to Unique in a secure way (sensitive client credentials) and Unique will take care of enabling SSO for your organization.

SAML

Zitadel is able to connect to any identity provider that supports SAML. SAML can even be used in a closed network not available from the internet.

Prerequisites

You need to register a new client with your SAML provider and provide us with either the Metadata URL or the Metadata XML. In case of an internal network not reachable from the internet only the Metadata XML is possible.

How to setup Okta SAML as an example you can check here:

On the multitenant system we additionally need the E-Mail domain that the users will be using to login.

Configuring Zitadel

On the settings tab you need to ✅ Allow External Login and you need to remove all 2FA methods and Disable Username and password. The only ✅ that should be checked is for external login!

Then create a SAML SP Identity Provider. Give it a name and either paste the Metadata XML in base64 encoded form into the Metadata XML field, or give the Metadata URL in the respective field.

Choose SAML_BINDING_POST and activate:

• ✅ Signed Request

• ✅ Automatic Creation

• ✅ Automatic Update

• ✅ Account creation allowed

Do not forget to activate the new Identity Provider with the ✅ icon. Account linking should never be activated for security reasons.

Configuring SAML provider with Zitadel metadata

After configuring the SAML SP Identity Provider click on it again and check the URL. It will end with a sequence of numbers ui/console/org/provider/saml/<SAML-PROVIDER-ID>. Copy the SAML-PROVIDER-ID for the next step (the numbers).

If Zitadel is reachable from your SAML instance you can configure the following URL as Metadata URL:

• Multitenant

  • https://id.unique.app/idps/<SAML-PROVIDER-ID>/saml/metadata

• Single tenant

  • https://id.<your-tenant-name>.unique.app/idps/<SAML-PROVIDER-ID>/saml/metadata

• Customer managed tenant

  • https://<custom-unique-zitadel-url>/idps/<SAML-PROVIDER-ID>/saml/metadata

If it is not reachable you either get the Metadata XML from us or you can download it from the respective URL above and configure it in your SAML IDP.