Configure Instance SSO

Single Sign-On (SSO) allows users to log in to Reemo using their existing company credentials, without the need to manage additional passwords.

This integration improves both security and ease of use, while enabling administrators to enforce authentication and compliance policies in a centralized manner.

Reemo supports several SSO integration methods:

  • SAML (Security Assertion Markup Language) is an open standard that allows a service provider (here Reemo) to trust an identity provider for user authentication. This is the most common method for SSO in web applications. Examples of providers: Microsoft Entra ID (Azure AD), Okta, Google Workspace, Auth0.

  • LDAP (Lightweight Directory Access Protocol) is a protocol used to query and modify directory services. It is often used for centralized authentication by connecting to an existing company directory. Examples of providers: Microsoft Active Directory, OpenLDAP.

Each method requires specific configuration both in Reemo and on the identity provider side. To set this up, go to the SSO Connectors menu of your instance.

Creation Guides

contacts
Configure via LDAP
Set up an SSO connector linked to an LDAP directory
../guides/ldap.html
graph_4
SAML with Azure AD
Set up an SSO connector with Azure AD
../guides/saml-azure.html
communities
SAML with Okta
Set up an SSO connector with Okta
../guides/saml-okta.html

Advanced Options

When configuring an SSO connector, advanced options allow you to automate user management and resource assignment:

Just In Time Provisioning

By enabling Just In Time Provisioning, users from the SAML server are automatically created in Reemo upon their first successful login, even if they were not manually added by an administrator.
This greatly simplifies deployment since no prior action is required to provision accounts.

Note

When enabling JIT, you will be prompted to choose which organization users will be attached to. Make sure you have created the corresponding organization beforehand. You can always go back and edit your SSO connector later.

Automatic Collection Mapping

The Extra Mapping section allows you to define rules to automatically assign users to container collections, based on attributes returned by the SAML identity provider.

  • SAML field to map: name of the attribute (e.g. department, group, etc.).

  • Match type: evaluation mode (e.g. REGEX to apply a regular expression).

  • Expected value: the value or pattern that, when present in the attribute, triggers association with the chosen collection (e.g. internet).

This automates access: a user whose SAML attribute matches the defined rule will automatically be added to the relevant collection.

Example: If the SAML attribute department matches the value internet, the user will automatically be added to the Internet Navigation collection, if that collection has internet as its identifier.