Enterprise SSO

Rekall supports enterprise single sign-on (SSO) via SAML 2.0 and OpenID Connect (OIDC). SSO allows your team to authenticate with Rekall using your existing identity provider, enabling centralized access control and audit logging.

Enterprise Plan Required

SSO is available on the Enterprise plan. Contact sales@rekall.ai to enable SSO for your organization.

Supported Protocols

Rekall supports two industry-standard SSO protocols. Choose the one that your identity provider supports.

security

SAML 2.0

XML-based protocol widely supported by enterprise identity providers. Recommended for Okta, Azure AD, OneLogin, and PingIdentity.

OktaAzure ADOneLoginPingIdentityADFS

key

OpenID Connect (OIDC)

Modern, JSON-based protocol built on OAuth 2.0. Recommended for Google Workspace, Auth0, and custom identity providers.

Google WorkspaceAuth0KeycloakAzure ADCustom

SAML 2.0 Setup

Configuring SAML SSO requires setup on both the Rekall side and your identity provider.

Rekall Configuration

Start by configuring the SAML connection in the Rekall dashboard:

Navigate to Settings → SSO
Click Configure SAML 2.0
Copy the Rekall SP metadata values shown on the configuration page
Enter these values in your identity provider (see below)

Rekall provides the following Service Provider (SP) metadata for your identity provider:

Rekall SAML SP Metadata

{
  "entity_id": "https://api.rekall.ai/v1/sso/saml/metadata",
  "acs_url": "https://api.rekall.ai/v1/sso/saml/acs",
  "slo_url": "https://api.rekall.ai/v1/sso/saml/slo",
  "metadata_url": "https://api.rekall.ai/v1/sso/saml/metadata.xml",
  "name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
}

Identity Provider Configuration

After configuring Rekall, set up the SAML application in your identity provider. The exact steps depend on your provider, but you will generally need to:

Create a new SAML application in your IdP
Set the Entity ID / Audience URI to the entity_id from Rekall
Set the ACS URL / Reply URL to the acs_url from Rekall
Set Name ID Format to emailAddress
Configure attribute mapping (see below)
Copy the IdP metadata URL or download the metadata XML
Paste the IdP metadata URL or XML content back in the Rekall SSO settings

After configuring your identity provider, enter its metadata back in Rekall:

const ssoConfig = await rekall.sso.configure({
  protocol: 'saml',
  idpMetadataUrl: 'https://login.okta.com/app/abc123/sso/saml/metadata',
  // Or provide the metadata XML directly:
  // idpMetadataXml: '<EntityDescriptor>...</EntityDescriptor>',
  domains: ['yourcompany.com'],
  autoProvision: true,
});

console.log(ssoConfig.status); // "active"

Attribute Mapping

Rekall requires the following SAML attributes to be included in the assertion. Map these from your identity provider's user directory:

Rekall Attribute	Required	Description	Example Value
`email`	Yes	User email (used as Name ID)	jane@company.com
`firstName`	Yes	User first name	Jane
`lastName`	Yes	User last name	Doe
`groups`	No	Group memberships for role mapping	Engineering, Admin
`department`	No	Department for team assignment	Engineering

OIDC Setup

OpenID Connect setup is similar to SAML but uses JSON-based configuration and the OAuth 2.0 protocol.

Rekall Configuration

Rekall provides the following OIDC client configuration for your identity provider:

Rekall OIDC Client Configuration

{
  "redirect_uri": "https://api.rekall.ai/v1/sso/oidc/callback",
  "post_logout_redirect_uri": "https://app.rekall.ai/logout",
  "response_type": "code",
  "scope": "openid email profile groups",
  "grant_type": "authorization_code"
}

Identity Provider Configuration

Configure your identity provider with the Rekall redirect URI, then provide the discovery URL and client credentials back to Rekall:

const ssoConfig = await rekall.sso.configure({
  protocol: 'oidc',
  issuerUrl: 'https://accounts.google.com',
  // Or a custom discovery URL:
  // discoveryUrl: 'https://idp.yourcompany.com/.well-known/openid-configuration',
  clientId: 'your-oidc-client-id',
  clientSecret: 'your-oidc-client-secret',
  domains: ['yourcompany.com'],
  autoProvision: true,
  scopes: ['openid', 'email', 'profile', 'groups'],
});

console.log(ssoConfig.status); // "active"

Discovery URL

Most OIDC providers support auto-discovery via the .well-known/openid-configuration endpoint. Rekall will automatically fetch the provider's signing keys, token endpoint, and authorization endpoint from this URL.

Just-in-Time Provisioning

When JIT provisioning is enabled, Rekall automatically creates user accounts the first time someone from your organization signs in via SSO. This eliminates the need to manually invite every team member.

JIT Provisioning Settings

check_circle

Auto-create accounts

Automatically create Rekall accounts for new SSO users.

check_circle

Default role

Assign a default role (viewer, editor, admin) to new users.

check_circle

Default team

Assign new users to a specific team based on IdP groups.

check_circle

Domain verification

Only provision users from verified email domains.

Enabling JIT provisioning

await rekall.sso.update({
  autoProvision: true,
  defaultRole: 'editor',
  defaultTeam: 'engineering',
  verifiedDomains: ['yourcompany.com'],
});

Domain Verification

JIT provisioning requires domain verification. Add a TXT record to your DNS to verify ownership of your domain before enabling automatic provisioning.

SSO Enforcement

Once SSO is configured and tested, you can enforce it for all members of your organization. When SSO is enforced:

lock

All team members must sign in via your identity provider.

password

Password-based sign-in is disabled for SSO-enforced accounts.

vpn_key

Existing API keys continue to work (they are separate from user authentication).

group_remove

Deprovisioned users in your IdP are automatically removed from Rekall within 1 hour.

admin_panel_settings

Organization admins can bypass SSO enforcement for emergency access.

// Enforce SSO for the organization
await rekall.sso.enforce({
  enabled: true,
  bypassAdmins: true, // Admins can still use password auth
  gracePeriodDays: 7, // Give users 7 days to transition
});

// Check enforcement status
const status = await rekall.sso.getStatus();
console.log(status.enforced); // true
console.log(status.gracePeriodEnds); // "2025-02-07T00:00:00Z"

Troubleshooting

SAML assertion is rejected

Verify that the ACS URL and Entity ID match exactly. Check that the Name ID format is set to emailAddress. Ensure the IdP clock is synchronized (SAML assertions have a 5-minute time window).

OIDC callback fails with "invalid_redirect_uri"

The redirect URI configured in your IdP must exactly match https://api.rekall.ai/v1/sso/oidc/callback, including the protocol and path.

Users are not being auto-provisioned

Check that JIT provisioning is enabled, the user's email domain is in your verified domains list, and the required attributes (email, firstName, lastName) are included in the IdP response.

SSO login works but users cannot access resources

Check that the default role has the necessary permissions. Users provisioned via SSO receive the default role unless group-based role mapping is configured.

Need Help?

If you encounter issues configuring SSO, contact your Rekall account manager or email support@rekall.ai. Enterprise customers have access to a dedicated support channel with priority response times.

Next Steps

Configure scopes and permissions →Create API keys for your team →Test SSO in sandbox mode →Authentication overview →