Supported Identity Providers
Draftt supports any identity provider that implements SAML 2.0 or OIDC. The following providers are tested and documented.Okta
Microsoft Entra ID
Google Workspace
Microsoft AD FS
PingFederate
PingOne
OneLogin
Keycloak
JumpCloud
Auth0
CyberArk
Descope
Duo
ClassLink
LastPass
miniOrange
Salesforce
How It Works
When SSO is enabled for your organization:- Users who visit
app.draftt.ioand enter their work email are redirected to your IdP. - Your IdP authenticates them and returns a signed assertion (SAML) or ID token (OIDC) to Draftt.
- Draftt validates the assertion, resolves the user, and creates an authenticated session.
- If Just-in-Time (JIT) provisioning is enabled, first-time users are automatically created in Draftt with a default role.
Once SSO is enforced for your organization, password-based login is disabled. All users must authenticate through your IdP.
Configuration
To enable SSO for your organization, go to Account Settings > Authentication in Draftt. Click Configure SSO and follow the on-screen instructions. Draftt’s setup flow guides you through the IdP-specific metadata exchange and lets you test authentication before enforcing it.Just-in-Time (JIT) Provisioning
When JIT provisioning is enabled, users who successfully authenticate via SSO for the first time are automatically created in Draftt. You configure:- Default role - The role assigned to JIT-provisioned users. Typically
DeveloperorViewer. - Domain allowlist - Only email addresses matching your configured domains are provisioned. Prevents authentication from external addresses that might exist in your IdP.
Next Steps
- Configure SCIM Provisioning to automate user lifecycle management
- Review Roles & Permissions to confirm the right default role for JIT-provisioned users