Handbook - Configuration
SSO Overview
Deployed mode uses BFF-owned SSO. The frontend starts login flows but never receives provider access tokens or ID tokens.
On this page
On this page
Deployed mode uses BFF-owned SSO. The frontend starts login flows but never receives provider access tokens or ID tokens.
Supported Providers
| Provider ID | Provider | Flow |
|---|---|---|
github | GitHub OAuth App | OAuth web flow plus GitHub user/email APIs |
google | OIDC authorization code flow with PKCE | |
azure | Microsoft Azure Entra ID | OIDC authorization code flow with PKCE |
Enable providers with:
CLOUDGRID_AUTH_PROVIDERS=github,google,azureUse any comma-separated subset.
Browser Login Flow
Common Variables
CLOUDGRID_DEPLOYMENT_MODE=deployed
CLOUDGRID_AUTH_MODE=sso
CLOUDGRID_AUTH_PROVIDERS=github
CLOUDGRID_AUTH_COMPANY_ID=acme
CLOUDGRID_SESSION_SECRET='<random-session-secret>'
CLOUDGRID_SESSION_TTL_SECONDS=28800CLOUDGRID_AUTH_COMPANY_ID is the configured deployed company boundary until dynamic tenant provisioning exists.
Provider Pages
Access After Login
SSO authentication proves identity. It does not automatically grant company or project access after the first admin bootstrap.
After the first company admin exists:
- a company admin creates an invitation for an email address;
- a project admin may attach pending project grants for project onboarding;
- the invitation email sends the user to the configured public CloudGrid URL;
- the invited user signs in through an enabled provider;
- the provider must return a matching verified email;
- control-plane creates a company
usermembership and applies pending project grants.
Read Invitations for the lifecycle and Invitation email delivery for the SMTP boundary.
Last updated .