Skip to main content

Documentation Index

Fetch the complete documentation index at: https://radarhq.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

Radar Cloud uses WorkOS for SSO. Owners configure their IdP self-serve via the WorkOS Admin Portal - Okta, Azure AD, Google, OneLogin, generic SAML, generic OIDC. On save, WorkOS provisions the connection and notifies the Hub.

Set up SSO

Settings → Organization → SSO (owner-only). Click Set up SSO:
  1. Radar lazy-creates a WorkOS organization for you (one per Cloud org) and opens the WorkOS Admin Portal in a new tab.
  2. Pick your IdP from the menu. WorkOS will walk you through the IdP-specific steps:
    • For SAML: SAML metadata URL or XML upload, attribute mapping.
    • For OIDC: discovery URL, client ID / secret.
    • For named IdPs (Okta, Azure AD): OAuth-style consent flow that handles the rest.
  3. Save. WorkOS sends a webhook back to the Hub. Once verified, the SSO card flips to Connected and shows the IdP name + last-tested timestamp.
After setup, users from your IdP can sign in via app.radarhq.io/login → “Sign in with SSO” (or whatever the SAML / OIDC discovery flow auto-detects from their domain). New SSO users land in your org with the Default invite role if your domain is allowed; otherwise, an owner needs to invite them explicitly.

Domain matching

WorkOS routes SSO sign-ins by email domain. The Verified email domain under Settings → Organization → SSO must match the domain your IdP issues identities for. If you have multiple verified domains, list them all in Allowed email domains under Members.

What about JIT / SCIM provisioning?

  • JIT (just-in-time provisioning) - works today. The first time a user signs in via SSO, they’re created as a Cloud user. If domain auto-join is configured, they also land in the org with the default role.
  • SCIM - directory-based user / group sync. Not yet shipped. The schema is reserved on our side but the provisioning endpoints aren’t live. Track this on the changelog if you need it for compliance.

Disconnecting SSO

Owners can manage the connection through the WorkOS Admin Portal (the same link the SSO card opens). Removing the connection there stops new SSO sign-ins; existing sessions remain valid until cookie expiry. There’s no “force every user out” button today - if you need to immediately revoke access for someone whose IdP user was disabled, also remove them from Settings → Organization → Members, which cuts their server-side session.

Audit

SSO setup, IdP changes, and SSO sign-ins all show up in the audit log with action auth.sso.*. The IdP name and connection ID appear in the metadata.

Free vs. paid

SSO is available on every plan, including Free.

See also