Uniform integrates with any identity provider that supports SAML 2.0 or OpenID Connect. This guide walks through the setup process for supported providers and what information needs to be exchanged between your team and Uniform Support.

Step 1: Choose a connection name

The connection name is a short, unique identifier for your organization's SSO connection.

Requirements:

- Alphanumeric characters and dashes only.

- Must clearly identify your company (e.g., acme-corp, globex-uniform).

- Must be agreed upon by both your team and Uniform Support before proceeding.

Good examples:

- acme-corp

- globex-uniform

Bad examples:

- 1112--2331313131 — not meaningful, impossible to identify the customer.

- test — too generic, not unique.

This connection name will be used to construct your SAML identifier and reply URL:

US (uniform.app)

SAML Identifier (Entity ID)

urn:auth0:uniformsystems:[connection-name]

Reply URL (ACS URL)

https://login.uniform.app/login/callback?connection=[connection-name]

Logout URL

https://login.uniform.app/logout

EU (eu.uniform.app / eu2.uniform.app)

SAML Identifier (Entity ID)

urn:auth0:uniformsystems:[connection-name]

Reply URL (ACS URL)

https://login.eu.uniform.app/login/callback?connection=[connection-name]

Logout URL

https://login.eu.uniform.app/logout

Step 2: Provider-specific setup

Choose the section that matches your identity provider.

Microsoft Entra ID (Azure AD)

Create a non-gallery Enterprise Application in Entra ID with SAML single sign-on. Use the SAML Identifier and Reply URL from the table above in the Basic SAML Configuration.

Additionally, add a custom claim email_verified with source attribute value "true" and enable Expose claim in JWT tokens in addition to SAML tokens under Advanced SAML claims options.

What you provide to Uniform Support

1. Connection name — the identifier you chose in Step 1.

2. App Federation Metadata URL — found under SAML Certificates in the SSO configuration page.

3. Certificate (Base64) — the X.509 signing certificate in PEM or CER format.

4. Email domains — all domains that should be routed through SSO.

Attribute mappings

Uniform expects the following SAML attribute mappings from Entra ID. These are typically configured by default:

{

  "user_id": [

    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",

    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",

    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

  ],

  "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",

  "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

}

Okta (OpenID Connect)

Create an application integration in Okta for Uniform with the following callback URLs:

US (uniform.app)

Sign-in redirect URI

https://uniformsystems.us.auth0.com/login/callback

Allowed callback URL

https://login.uniform.app/login/callback

EU (eu.uniform.app / eu2.uniform.app)

Sign-in redirect URI

https://uniformsystems.eu.auth0.com/login/callback

Allowed callback URL

https://login.eu.uniform.app/login/callback

What you provide to Uniform Support

1. Connection name — the identifier you chose in Step 1.

2. Okta Domain — your Okta tenant domain.

3. Client ID — generated by Okta when you create the application.

4. Client Secret — generated by Okta when you create the application.

5. Email domains — all domains that should be routed through SSO.

Other SAML 2.0 / OpenID Connect providers

For any provider not listed above, the general process is the same.

What you provide to Uniform Support

1. Connection name — the identifier you chose in Step 1.

2. Sign-in URL — the SSO endpoint generated by your identity provider.

3. X.509 signing certificate — the SAMLP server public key in PEM or CER format.

4. Email domains — all domains that should be routed through SSO.

Step 3: Verification

Once both sides have completed their configuration:

1. Uniform Support will confirm that SSO is active.

2. Send a new invite to a test user from within Uniform.

3. The invited user should log in at your Uniform instance. If SSO is configured correctly, they will be redirected to your identity provider for authentication.

Limitations

- Pre-existing accounts: Users who had accounts before SSO was enabled cannot authenticate after setup. They must be removed and re-invited.

- Connection name is permanent: Once agreed upon and configured, the connection name cannot be changed without reconfiguring both sides.