Skip to content
backlex Cloud backlex Cloud backlex Cloud
Enterprise

Enterprise SSO

Let members sign in through your identity provider via OIDC or SAML, with email-domain routing. Active Directory connects through AD FS or Entra ID.

Enterprise SSO lets your members authenticate through your own IdP instead of a backlex password. Configure it under Settings → Enterprise SSO (or the API). Both OIDC and SAML are supported.

Email-domain routing

Section titled “Email-domain routing”

Set an email domain (e.g. acme.com) and the sign-in page offers “Sign in with SSO” for anyone using that domain, routing them to your IdP. New members provisioned through SSO get a configurable default role.

OIDC

Section titled “OIDC”

Provide issuer, client ID, client secret, and optional scopes. Give your IdP the redirect URI shown in settings:

https://cloud.backlex.com/api/sso/callback

SAML

Section titled “SAML”

Provide your IdP entity ID, SSO URL, and signing certificate (PEM). Give your IdP the ACS URL and SP entity ID shown in settings:

ACS URL:       https://cloud.backlex.com/api/sso/saml/<org>/acs
SP entity ID:  https://cloud.backlex.com/api/sso/saml/<org>/metadata

Active Directory

Section titled “Active Directory”

There’s no direct LDAP — the standard path (the same one Cloudflare Access uses) is to front AD with one of:

  • AD FS — connect via SAML; AD FS maps LDAP attributes to claims.
  • Entra ID / Azure AD — connect via OIDC.

Both work with the options above; no LDAP polling required.

Configuring and disabling SSO requires the admin role. Provision members automatically with SCIM.