Skip to main content
Table of Contents

Authentication, SSO, & SCIM - Start Here

Use this hub to configure authentication in LinearB. Set up SAML Single Sign-On (SSO) with your identity provider, enable SCIM provisioning with Okta, and manage identity integrations for your organi…

heather.hazell
Updated by heather.hazell

Use this hub to configure authentication in LinearB. Set up SAML Single Sign-On (SSO) with your identity provider, enable SCIM provisioning with Okta, and manage identity integrations for your organization.

Note: SSO and SCIM are not enabled by default. Please contact LinearB Support to enable these features for your organization.

Overview

LinearB supports:

  • SAML 2.0 SSO with:
    • Okta
    • Google Workspace (GSuite)
    • Azure AD / Microsoft Entra
    • OneLogin
    • Ping Identity
  • SCIM Provisioning (Okta only)

SSO centralizes authentication and improves security. SCIM automates the user lifecycle (create, update, deactivate).

Where to configure

All authentication settings are managed in LinearB under Settings → SSO.

Who can configure

LinearB Admins only.

General SAML 2.0 Integration

LinearB can integrate with any SAML 2.0-compliant identity provider (IdP). Use this high-level guide if your IdP is not listed above or if you prefer a generic SAML setup.

Key terms

  • IdP: Identity Provider (your SSO system)
  • SP: Service Provider (LinearB)

Step 1: Enable SAML SSO in LinearB

  1. In LinearB, go to Settings → SSO.
  2. Open the Single Sign-On section.
  3. Click Set Up SSO to generate the SSO configuration.

Step 2: Create a SAML 2.0 application in your IdP

Your IdP administrator will need the following SAML values:

  • ACS URL / Callback URL – generated in LinearB during setup
  • Entity ID / Audiencehttps://app.linearb.io/login
  • Name ID format – email
  • Required attributes – none (Name ID is sufficient)

Important: Assign at least one user to the LinearB SSO application in your IdP before testing.

Step 3: Copy IdP values into LinearB

Back in LinearB, enter the following values from your IdP:

  • Provider Single Sign-On URL (SSO URL)
  • Provider Issuer (Issuer URL / IdP Entity ID)
  • Organization Email Domain (for example: example.com)
  • X.509 Certificate (paste the full certificate)

Step 4: Test the connection

  • Click Save to trigger a test login flow.
  • If successful, the SAML Authentication toggle will show as enabled.

Optional: Username attribute mapping (IdP-specific)

Some identity providers allow sending a custom attribute (often called userName) to control the username created in LinearB. If no username attribute is mapped, LinearB typically uses the user's email address.

Provider-Specific SSO Setup

Provider Setup Guides

Each provider guide includes steps for:

  • Creating a SAML application
  • Configuring the Entity ID and ACS URL
  • Adding the X.509 certificate
  • Assigning users
  • Testing and enforcing SSO

SCIM Provisioning

SCIM Provisioning (Okta Only)

What SCIM does

  • Automatically provisions new LinearB users
  • Updates user profile attributes
  • Deactivates LinearB users when they are disabled in Okta
  • Keeps identity data centralized and consistent

Guide:

Note: SCIM provisioning is supported only with Okta. Microsoft Entra and Google Workspace do not support SCIM provisioning for LinearB.

Enforcing SSO

You can require all users to authenticate through your identity provider.

Steps

  1. Go to Settings → Authentication / SSO.
  2. Enable Require SSO for all users.
  3. Save your settings.

After enforcement:

  • Users must sign in through your SSO provider.
  • Email and password login is disabled.
  • New users must be created through the IdP (or SCIM if enabled).

Disabling SSO

How to Disable SSO

When would you disable SSO?

  • Changing identity providers
  • Testing a new SSO configuration
  • Restoring access for users locked out of the IdP

Steps

  1. Go to Settings → SSO.
  2. Turn off the SAML Authentication toggle.
  3. If enabled, uncheck Require SSO.
  4. Save your settings.

Result: Users can sign in again using email and password, and SSO will no longer be required.

Disabling SCIM

How to Disable SCIM Provisioning (Okta)

When would you disable SCIM?

  • Switching identity providers
  • Stopping automated user lifecycle management
  • Debugging unexpected provisioning behavior

Steps in Okta

  1. Open the LinearB application in Okta.
  2. Go to the Provisioning tab.
  3. Under Integration, click Edit.
  4. Disable API Integration.
  5. Save your changes.

Steps in LinearB

  1. Go to Settings → SCIM.
  2. Revoke the SCIM token (optional but recommended).

Result: Okta will no longer create, update, or deactivate LinearB users via SCIM. Existing LinearB users remain unchanged.

FAQs

Can I configure SSO with multiple providers?
No — LinearB supports only one SAML SSO provider at a time.

Do new SSO users receive a default role?
Yes. New users created through SSO or SCIM begin with the Viewer role.

Does disabling SSO remove user accounts?
No. It only changes how users authenticate.

Does SCIM assign users to Teams?
No. Team membership is managed inside LinearB.

Next steps:

How did we do?

Configuring SCIM in Okta for LinearB

Contact