Single sign-on (SAML + SCIM)
EnterpriseSign in to Hjarni with your work account through Okta, Microsoft Entra, Auth0, OneLogin, or any SAML 2.0 IdP. Sync users automatically with SCIM (optional).
Overview
Hjarni implements SAML 2.0 for login. Your IdP authenticates the user. Hjarni trusts the signed assertion.
SCIM 2.0 is optional for provisioning. Your IdP pushes user create, update, and deactivate calls to Hjarni. Accounts stay in sync without anyone logging in first.
SSO is configured per team. Enable it for one team and leave others on password, Google, or GitHub login. Or require SSO for everyone on a team.
Requirements
Configure your IdP
In your IdP, create a new SAML 2.0 application using the service-provider details below. Replace <team_id> with the numeric ID of your Hjarni team (visible in the address bar when you open Team settings > SSO).
https://hjarni.com/auth/saml/<team_id>/callback
Okta calls this "Single sign on URL". Entra calls it "Reply URL". Auth0 calls it "Application Callback URL".
https://hjarni.com/auth/saml/<team_id>/metadata
Okta calls this "Audience URI (SP Entity ID)". Entra calls it "Identifier (Entity ID)". Auth0 has an audience key in the SAML2 addon JSON.
If your IdP supports SP metadata import, point it at the SP metadata XML URL above instead of typing each field by hand.
Attribute statements
Hjarni reads the user's email from the SAML assertion. Any of these attribute names work out of the box:
email: common in Okta, Auth0, OneLogin.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress: Microsoft Entra, ADFS, Auth0 (default mapping).urn:oid:0.9.2342.19200300.100.1.3: LDAP / OID style.
No extra attribute mapping is required for the major providers. Optional givenName and surname are read under the same naming styles.
Configure Hjarni
From your IdP's setup page, copy three values:
- IdP SSO URL. Where Hjarni sends users to authenticate.
- IdP Entity ID / Issuer. Identifies the signing source.
- X.509 Certificate (PEM). Verifies the signed assertion.
Where to find each, by provider:
| Provider | Where to look |
|---|---|
| Okta | App > Sign On tab > SAML Setup > View SAML setup instructions. Copy "Identity Provider Single Sign-On URL", "Identity Provider Issuer", and the X.509 Certificate. |
| Microsoft Entra | Enterprise app > Single sign-on > section 3 (SAML Certificates) for the cert, section 4 (Set up <app name>) for "Login URL" (SSO URL) and "Microsoft Entra Identifier" (Issuer). |
| Auth0 | Application > Addons > SAML2 Web App > Usage tab. Copy "Identity Provider Login URL", "Issuer", and click Download on the certificate. |
| OneLogin | App > SSO tab. Copy "SAML 2.0 Endpoint (HTTP)", "Issuer URL", and download "X.509 Certificate". |
In Hjarni, go to your team > SSO (or visit /teams/<team_id>/sso) and paste the three values. Two optional fields:
- Email domain. Enables
/ssodiscovery: members type their work email and Hjarni routes them to your IdP. It also double-checks that the asserted email matches this domain. - Require SSO. See Enforce SSO below. Leave off for the first test.
Save. The SP details on the right of the page now show the URLs to hand to your IdP admin if you haven't already.
Test login
- Make sure your test user exists in your IdP and has been assigned to the Hjarni application.
- Open an incognito window (so you start with no Hjarni session).
- Visit
https://hjarni.com/sso, enter the user's work email, click Continue. - Your IdP's login screen appears. Authenticate.
- You should land on the Hjarni dashboard as that user, automatically added to the team.
If you assign a new user in the IdP after the team is set up, the next login will just-in-time provision them. No manual invite needed.
Enforce SSO
Once SSO is working for at least one team owner, you can require it for all team members. With Require SSO on:
- Password, Google, and GitHub logins are blocked for anyone on the team. They get redirected to
/ssowith a "your team requires SSO" message. - Adding the user to your IdP becomes the only way to grant Hjarni access.
- Removing the user from your IdP (or sending
active: falsevia SCIM) is the only way to revoke it.
Turn this on only after a successful SSO test as the team owner. If the IdP is misconfigured, enforcement can lock everyone out of the team. Including you.
SCIM provisioning (optional)
SCIM lets your IdP push user lifecycle changes to Hjarni without anyone needing to log in first. New hires get a seat the day they're added in Okta. Offboarded employees lose access the second they're removed.
Mint a bearer token
In Hjarni, go to your team > SCIM (or /teams/<team_id>/scim_tokens) and click Generate token. The token is shown once. Copy it immediately.
Hand it to your IdP
Authorization: Bearer <token>What's supported
- Users: full lifecycle. POST creates, PATCH updates,
active: falseor DELETE removes the team membership. The underlying account survives in case the user is in other teams. - Filters:
userName eq,externalId eq,emails eq. - Groups: returned as an empty list. We don't sync groups to team roles in v1. Promote owners manually in the Hjarni UI.
Test it without an IdP
curl -X POST https://hjarni.com/scim/v2/Users \
-H "Authorization: Bearer YOUR_SCIM_TOKEN" \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "alice@bigco.com",
"externalId": "okta-12345",
"active": true
}'Troubleshooting
"Callback URL mismatch" on the IdP error page
Your IdP doesn't recognize the URL Hjarni is sending. The fix is in your IdP: open the SAML application's settings and confirm the Application Callback URL field contains exactly:
https://hjarni.com/auth/saml/<team_id>/callback
Watch for typos in the protocol (must be https://), the team_id, and trailing slashes.
"Audience mismatch" or "Invalid audience"
Your IdP's audience setting must match the SP entity ID exactly:
https://hjarni.com/auth/saml/<team_id>/metadata
Not the team's homepage, not the SSO URL, not with a trailing slash. The metadata URL.
"We couldn't find SSO for that email domain"
The email_domain field on the Hjarni SSO page doesn't match the domain of the email you entered. Either correct the field or visit /auth/saml/<team_id> directly via the team's login link.
"Sign in with SSO failed"
Hjarni rejected the IdP's response. The internal audit log records the exact reason. Possible values:
missing_email. The IdP didn't send the email under any of the supported claim names. Add an attribute statement that maps the user's email to one of the names listed under "Attribute statements" above.email_domain_mismatch. The asserted email's domain doesn't match the team's configuredemail_domain. Either correct the field or remove it.name_id_conflict. The asserted NameID doesn't match the one originally bound to that team membership. Treated as a potential takeover and rejected. Email support if a legitimate IdP migration triggered this.
The audit log isn't exposed in the UI yet. Email support with your team name and a rough timestamp and we'll read the rejection reason out for you.
SCIM "Test API Credentials" failing in Okta / Entra
The connection test probes /ServiceProviderConfig, /Schemas, /ResourceTypes, and a /Users list. If any of the four fail:
- Check the bearer token in your IdP is the exact plaintext you copied at generation time. If you lost it, revoke and regenerate at
/teams/<team_id>/scim_tokens. - Confirm the SCIM base URL is
https://hjarni.com/scim/v2. No trailing slash, no/Userssuffix. - Confirm the IdP is set to send the token in the HTTP
Authorizationheader asBearer <token>(not basic auth, not in the URL).
Related docs
Questions about SSO?
Email evert@hjarni.com
Write once. You both remember.
Free to start. No credit card required.
Give your AI a memoryWorks with Claude and ChatGPT today. Gemini coming soon.