https://your-domain.com/sso/<slug> — and from there are redirected straight to the IdP.
What enterprise SSO does for you
- Single sign-on across your organization. If the user is already signed in at the IdP, they reach Pria without seeing a Pria login form.
- Centralised account lifecycle. Disable the user at the IdP and they can no longer reach Pria. No Pria-side password to rotate.
- IdP-enforced security. MFA, conditional access, IP allowlists, and device posture are all evaluated at the IdP. Pria inherits whatever the IdP says.
- Just-in-time user provisioning. The first time a user signs in with SSO, Pria automatically creates their account and enrols them in the linked institution. No bulk import step required.
Supported protocols
For OAuth2/OIDC, Pria runs the Authorization Code flow: the user is redirected to the IdP, signs in, and is redirected back with a one-time
code. Pria exchanges the code for an access token server-to-server and reads the user profile from the IdP’s userinfo endpoint.
Setting up an OAuth2 / OIDC provider
1
Register Pria as an application in your IdP
In your IdP’s admin console, create a new OIDC web application (sometimes called Web App, Regular Web Application, or Confidential Client). You’ll get back a Client ID and Client Secret.Register Pria’s callback URL with the IdP:Where
<slug> is the short identifier you’ll choose in step 2 (e.g. acme-okta, myuniversity). The callback URL must match exactly what you’ll register on the Pria side, including capitalisation and trailing characters.2
Create the provider in Pria
In Pria, go to Admin → SSO Providers and click Add SSO Provider. (You need the
sso.add admin entitlement — see SSO Providers.)Pick the institution this provider belongs to. Each institution can have one SSO provider.3
Set the slug and label
The slug is the public route: users will sign in at
https://your-domain.com/sso/acme-okta.4
Configure the OAuth2 endpoints
5
Configure field mapping
Pria reads three fields from the IdP’s
userinfo response: email, first name, last name. Defaults match standard OIDC claims:Override these only if your IdP uses non-standard claim names (e.g.
mail instead of email, firstName instead of given_name).6
Enable and test
Toggle Enabled on, save, and visit
https://your-domain.com/sso/<slug> in an incognito window. You should be redirected to the IdP, sign in, and land back in Pria.Use the Test button in the admin UI to verify connectivity to the Token Host before doing the round-trip test.Just-in-time user provisioning
When a user signs in via SSO and Pria doesn’t have a matching account, it creates one automatically using the email returned by the IdP and enrols the user in the institution attached to the SSO provider. No bulk import or pre-provisioning step is required. If an account with that email already exists (e.g. the user previously signed up with email + password), it’s reused — the SSO sign-in becomes another login method for the same account, and the user is enrolled in the institution.Just-in-time provisioning only creates the user record. It does not assign admin entitlements. New users are normal members of the institution; an existing admin must promote them if needed.
Disabling a provider without deleting it
You can flip the Enabled toggle off at any time. The provider configuration is preserved (client ID, secret, endpoint URLs, field mapping) but the SSO URL stops working: visitors see a red banner readingSSO provider '<slug>' is currently disabled.
This is the right move for an emergency shutoff, a maintenance window, or while you migrate the IdP-side configuration. To re-enable, just flip the toggle back on.
Deleting the provider entirely removes the configuration. Existing SSO-provisioned users keep their Pria accounts — they just can’t sign in via this provider anymore. They can still sign in by any other method tied to their email (e.g. a password they set, social login).
Multiple SSO providers per institution
Each institution can have one SSO provider configured at a time. If your institution needs to authenticate via two different IdPs (e.g. an Okta tenant for staff and a separate Auth0 tenant for contractors), the standard pattern is to:- Create two separate institutions in Pria, one per IdP.
- Attach a different SSO provider to each.
- Decide whether to grant some users membership in both institutions, depending on access requirements.
Sample IdP setups
Okta (OIDC)
Okta (OIDC)
- In the Okta admin console, Applications → Create App Integration → OIDC - OpenID Connect → Web Application.
- Sign-in redirect URIs:
https://your-domain.com/sso/<slug>. - Grant type: Authorization Code (enabled by default).
- Copy the Client ID and Client Secret from the app’s General tab.
Default field mapping (
email, given_name, family_name) works as-is with Okta.Microsoft Entra ID (formerly Azure AD)
Microsoft Entra ID (formerly Azure AD)
- In the Entra admin centre, App registrations → New registration. Set Redirect URI (Web) to
https://your-domain.com/sso/<slug>. - Under Certificates & secrets, create a new client secret. Copy the value immediately — it isn’t shown again.
- Under API permissions, add Microsoft Graph delegated permissions:
openid,profile,email. - Note the Application (client) ID and the Directory (tenant) ID.
Default field mapping works for Entra ID’s OIDC userinfo response.
Auth0
Auth0
- In the Auth0 dashboard, Applications → Create Application → Regular Web Applications.
- Allowed Callback URLs:
https://your-domain.com/sso/<slug>. - Copy the Client ID and Client Secret from the application’s Settings tab.
Default field mapping works with Auth0.
Google Workspace (OIDC)
Google Workspace (OIDC)
- In Google Cloud Console → APIs & Services → Credentials, create an OAuth 2.0 Client ID of type Web application.
- Authorized redirect URIs:
https://your-domain.com/sso/<slug>. - Copy the Client ID and Client Secret.
For a simpler integration that also lets users authorise Gmail/Drive/Calendar, prefer the Google Workspace integration — it covers more ground than a vanilla OIDC SSO setup.
Common errors
For other failures, look at the IdP-side log first — it will tell you whether the token request even reached the IdP and what was wrong with it.