SSO Integration Guide
Triage Warden supports enterprise SSO through both OIDC and SAML endpoints.
Supported Flows
- OIDC login:
/auth/oidc/login - OIDC callback:
/auth/oidc/callback - OIDC logout:
/auth/oidc/logout - SAML metadata:
/auth/saml/metadata - SAML login:
/auth/saml/login - SAML ACS:
/auth/saml/acs - SAML SLO:
/auth/saml/slo
Common Environment Variables
TW_OIDC_ISSUERTW_OIDC_CLIENT_IDTW_OIDC_CLIENT_SECRETTW_OIDC_REDIRECT_URITW_OIDC_SCOPESTW_OIDC_JWKS_URI(optional override; discoveryjwks_uriis used by default)TW_OIDC_REQUIRE_MFATW_SSO_ROLE_MAPPINGTW_SSO_DEFAULT_ROLETW_SSO_AUTO_CREATE_USERSTW_SAML_ENTITY_IDTW_SAML_ACS_URLTW_SAML_IDP_SSO_URLTW_SAML_CERTIFICATETW_SAML_PRIVATE_KEYTW_SAML_EXPECTED_ISSUERTW_SAML_REQUIRE_MFA
Use provider-specific documents in this folder for exact values.
Security Notes
- OIDC ID tokens are validated for issuer/audience/nonce/expiration and signature (JWKS).
- SAML assertions enforce request correlation (
InResponseTo), destination checks, signature presence, SHA-2 algorithm allow-listing, and certificate pinning checks.