Docs / Identity / SSO
SSO setup
Register your identity provider, validate access boundaries, and issue governed sessions.
How to use
1. Gather provider metadata
Collect issuer, client ID, and metadata URL from your IdP.
2. Register provider
Create the provider entry and enable it in Gvner.
3. Map roles
Map IdP roles to Gvner capabilities and approvals.
4. Issue test session
Create a governed session and verify ledger entry.
5. Export evidence
Export provider registry + session receipt for audit.
Prerequisites
Tenant token with identity scopes
Provider metadata (issuer, client ID)
Role mapping policy in place
Register provider
POST /sso/providers
{
"tenant_id": "acme",
"provider_id": "okta-main",
"provider_type": "oidc",
"issuer": "https://example.okta.com",
"client_id": "client_123",
"metadata_url": "https://example.okta.com/.well-known/openid-configuration",
"enabled": true
}
Issue a governed session
POST /sso/session
{
"tenant_id": "acme",
"provider_id": "okta-main",
"subject": "user@acme.com",
"roles": ["compliance", "auditor"],
"sso_token": "",
"mfa_ok": true
}
Operational checks
Verify provider enabled
Export provider registry
Review identity ledger
Rotate provider secrets quarterly
Enforce session policy TTL
Export identity packet
Key API endpoints
POST /sso/providers — register providerPOST /sso/session — issue sessionEvidence outputs
Provider registry snapshot
Session receipts