Authentication, SSO, & SCIM - Start Here

Use this hub to understand how authentication works in LinearB, choose your SSO provider, configure SCIM provisioning (Okta only), and manage or disable identity integrations. This page links to all configuration guides.

Note: SSO and SCIM are not enabled by default. Please contact LinearB Support to enable these features for your organization.

---

Overview

LinearB supports:

• SAML 2.0 SSO with:
  • Okta
  • Google Workspace (GSuite)
  • Azure AD / Microsoft Entra
  • OneLogin
  • Ping Identity
• SCIM Provisioning (Okta only)

SSO centralizes authentication and improves security. SCIM automates user lifecycle (create, update, deactivate).

Where to configure:

All authentication settings live under Settings → SSO

Who can configure:

LinearB Admins only.

---

General SAML 2.0 Integration

General, High-level SAML 2.0 SSO Integration (General SAML 2.0 SSO Integration (Applicable to OneLogin, Ping Identity, etc.)

LinearB can integrate with any SAML 2.0-compliant identity provider (IdP). Use this guide if your IdP is not listed above or you prefer a generic setup.

Key terms

• IdP: Identity Provider (your SSO system)
• SP: Service Provider (LinearB)

Step 1: Enable SAML SSO in LinearB

1. In LinearB, go to Settings → SSO.
2. Open the Single Sign-On section/tab.
3. Click Set Up SSO (or equivalent) to generate the SSO configuration.

Step 2: Create a SAML 2.0 application in your IdP

Your IdP admin will need these SAML values:

• ACS URL / Callback URL: generated in LinearB during setup (copy it from the SSO screen)
• Entity ID / Audience: https://app.linearb.io/login
• Name ID format: email
• Required attributes: none (Name ID is sufficient)

Important: Assign at least one user to the LinearB SSO app in your IdP before testing.

Step 3: Copy IdP values into LinearB

Back in LinearB, fill in the fields using values from your IdP:

• Provider Single Sign-On URL (sometimes labeled SSO URL)
• Provider Issuer (Issuer URL or IdP Entity ID)
• Organization Email Domain (for example, example.com)
• X.509 Certificate (paste the full certificate)

Step 4: Test the connection

• Click Save to trigger a test login flow.
• If successful, the SAML Authentication toggle should show as enabled/connected.

Optional: Username attribute mapping (IdP-specific)

Some IdPs let you send a custom attribute (often called userName) to control the username created in LinearB. If you do not map a username attribute, LinearB will typically use the user’s email.

-->

---

Provider Specific SSO Setup

Provider Specific SSO Setup Guides

• Configuring SAML SSO with Okta
• Configuring SAML SSO with Google Workspace
• Configuring SAML SSO with Microsoft Entra (formerly Azure AD)

Each provider guide includes steps for:

• Setting up a SAML application
• Configuring the Entity ID & ACS URL
• Adding the X.509 certificate
• Assigning users
• Testing & enforcing SSO

---

SCIM Provisioning

SCIM Provisioning (Okta Only)

What SCIM does

• Automatically provisions new LinearB users
• Updates user profile attributes
• Deactivates LinearB users when deactivated in Okta
• Keeps identity data centralized and consistent

Guide:

• How to Configure SCIM in Okta for LinearB

Note: SCIM is supported only with Okta. Microsoft Entra and Google do not support SCIM provisioning for LinearB.

---

Enforcing SSO

Enforcing SSO for your LinearB Organization

You can require all users to authenticate through your identity provider.

Steps:

1. Go to Settings → Authentication / SSO.
2. Enable the toggle “Require SSO for all users”.
3. Save your settings.

After enforcement:

• Users must sign in via your SSO provider only.
• Email/password login will be disabled.
• New users must be added via your IdP (or SCIM, if using Okta).

---

Disabling SSO

How to Disable SSO

When would you disable SSO?

• Changing identity providers
• Testing a new SSO configuration
• Restoring access for users locked out of the IdP

Steps to disable SSO:

1. Go to Settings → SSO.
2. Turn off the SAML Authentication toggle.
3. If enforced, uncheck the Require SSO option.
4. Save your settings.

Result: Users can again log in with email + password, and SSO logins will no longer be required.

---

Disabling SCIM

How to Disable SCIM Provisioning (Okta)

When would you disable SCIM?

• Switching identity providers
• Stopping automated user lifecycle management
• Debugging unexpected provisioning changes

Steps in Okta:

1. Open the LinearB Okta application.
2. Go to the Provisioning tab.
3. Under Integration, click Edit.
4. Disable API Integration.
5. Save your settings.

Steps in LinearB:

1. Go to Settings → SCIM .
2. Revoke the SCIM token (optional but recommended).

Result: Okta will no longer create, update, or deactivate LinearB users via SCIM. Existing LinearB users remain unchanged.

---

FAQs

Can I configure SSO with multiple providers?
No — LinearB supports one SAML SSO provider at a time.

Do new SSO users get a default role?
Yes, new users created through SSO or SCIM begin as Viewer.

Does disabling SSO remove user accounts?
No — it only changes how users authenticate.

Does SCIM assign users to Teams?
No — team membership is managed inside LinearB.

---

Next steps:

• Configuring SAML SSO with Okta
• Configuring SAML SSO with Google Workspace
• Configuring SAML SSO with Microsoft Entra (formerly Azure AD)