Single sign-on (SAML)

Let your team sign in to PrimDB through your identity provider with SAML 2.0. A flat $30 organization add-on that also unlocks audit-trail export.

Connect Okta, Microsoft Entra ID, Google Workspace, or any SAML 2.0 identity provider and your whole team signs in to PrimDB through it, keyed by your email domain. SSO is a flat $30 organization add-on, not an enterprise-only upsell, and it is priced the same whether you have three seats or three hundred.

Honest note. This is SSO for your PrimDB platform login (you and your collaborators), not the built-in auth you ship to your own app’s end-users. The add-on also unlocks account-level audit-trail export.

1. Enable the add-on

On the billing page, turn on the SSO / compliance add-on. Configuring a domain is gated on it being enabled, and the $30 shows in your live running total before anything is charged.

2. Connect your identity provider

In account Settings → Single sign-on, add your organization’s email domain and paste the details from your IdP:

  • Email domain — e.g. acme.com. Members signing in with an address at this domain are routed to your IdP.
  • IdP Entity ID (Issuer) — from your IdP’s SAML metadata.
  • IdP SSO URL — the sign-in endpoint your IdP publishes.
  • IdP signing certificate — the X.509 public certificate (PEM). PrimDB validates every assertion against it.

3. Register PrimDB with your IdP

Your IdP needs to know PrimDB as a service provider. The Settings page shows these with copy buttons; the metadata URL serves standard SP metadata XML.

FieldValue
SP Entity ID / Metadata URLhttps://dash.primdb.com/api/sso/metadata
ACS (Reply) URLhttps://dash.primdb.com/api/sso/acs
Sign-in URL (per domain)https://dash.primdb.com/api/sso/login?domain=acme.com

How sign-in works

  1. A member opens the sign-in URL for your domain.
  2. PrimDB builds a SAML request and redirects them to your IdP.
  3. Your IdP authenticates them and posts a signed assertion back to the ACS URL.
  4. PrimDB validates the signature against your pinned certificate, confirms the email is at your domain, and starts a session.

Honest note. Security: PrimDB only accepts assertions signed by the certificate you configured, and only for identities whose email is at your registered domain. An assertion for any other domain is rejected.

Audit-trail export

The same add-on unlocks account-level audit-log export: download every deploy, secret reveal, member change, and security event across all the projects you own, as CSV or JSON, from account Settings.

Supported providers

  • Okta
  • Microsoft Entra ID (Azure AD)
  • Google Workspace
  • OneLogin, JumpCloud, and any other SAML 2.0 identity provider

View as Markdown