Rivano supports OIDC-based single sign-on. This guide walks through configuring SSO using Zitadel, but the steps apply to any OIDC-compliant identity provider (Okta, Auth0, Azure AD, Google Workspace).

Prerequisites

An active Rivano tenant with owner-level access
An OIDC identity provider where you can create an application
DNS control for your organization’s domain (for IdP setup)

Step 1: Create an OIDC application in your IdP

In Zitadel (or your IdP), create a new Web Application with the following settings:

Setting	Value
Application type	Web
Authentication method	PKCE (recommended) or Client Secret
Redirect URI	`https://app.rivano.ai/auth/callback`
Post-logout redirect URI	`https://app.rivano.ai`
Token endpoint auth method	`none` (for PKCE) or `client_secret_post`

Note the Issuer URL, Client ID, and Client Secret (if using client secret flow).

Zitadel-specific steps

In your Zitadel project, go to Applications → + New.
Select Web Application.
Enter Rivano as the name.
Under Redirect URIs, add https://app.rivano.ai/auth/callback.
Set the authentication method to PKCE.
Save. Copy the Client ID shown on the application detail page.
Your issuer URL is https://[your-instance].zitadel.cloud or your self-hosted Zitadel URL.

Step 2: Configure SSO in Rivano

Go to Settings → SSO in the dashboard and enter:

Issuer URL — Your IdP’s OIDC issuer (e.g. https://myorg.zitadel.cloud)
Client ID — The application client ID from step 1
Client Secret — Only required if not using PKCE

Click Test connection. Rivano fetches the OIDC discovery document from {issuer}/.well-known/openid-configuration and verifies the endpoint is reachable.

If the test succeeds, click Enable SSO.

⚠

Enabling SSO disables OAuth (Google/GitHub) sign-in for all non-owner members. Owners retain OAuth access as a fallback. Make sure at least one owner has tested the SSO flow before enabling it for the whole team.

Open a private browser window and navigate to app.rivano.ai.
Click Sign in with SSO.
You are redirected to your IdP’s login page.
Sign in with an account from your IdP.
You are redirected back to Rivano and logged in.

If the flow fails, check:

The redirect URI in your IdP exactly matches https://app.rivano.ai/auth/callback
The issuer URL does not have a trailing slash
The OIDC discovery document is accessible from Rivano’s servers (no IP allowlisting blocking it)

Step 4: Map external users to Rivano roles

By default, new SSO users are assigned the member role. To assign a different role, set the rivano_role claim in your IdP.

Zitadel claim mapping

In Zitadel, go to Actions and create a new action:

// Zitadel action: set Rivano role from user metadata
function setRivanoRole(ctx, api) {
  const role = ctx.v1.user.grants.hasProjectRole('admin')
    ? 'admin'
    : 'member';
  api.v1.claims.setClaim('rivano_role', role);
}

Attach the action to the Complement token trigger.
Deploy the action.

Supported role values

Claim value	Rivano role
`owner`	Owner
`admin`	Admin
`member`	Member (default)

Any unrecognized or absent claim value defaults to member.

Step 5: Provision team members

Once SSO is enabled, invite team members by sending them to app.rivano.ai. They sign in via your IdP and their account is created automatically on first login.

You can pre-provision users via the Teams API if you need to assign them to sub-teams before they first sign in:

curl -X POST https://api.rivano.ai/api/teams/{teamId}/members \
  -H "Authorization: Bearer rv_api_..." \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]"}'

Disabling SSO

Go to Settings → SSO and click Disable SSO. OAuth sign-in is re-enabled immediately for all members.

Authentication — Full auth model and session management
RBAC — Role and permission reference
Multi-Tenancy — How OIDC sessions are isolated per tenant
Teams API — Programmatic team and member management

SSO Setup