SSO & SCIM configuration guide

Last updated: June 2026

Step-by-step for IT administrators enabling Microsoft Entra ID (OIDC), SAML 2.0 or SCIM provisioning. Configuration is per-tenant via environment variables — contact ZRG for assisted onboarding.

1. Microsoft Entra ID (OIDC) — recommended

Set in Vercel/hosting environment: • AZURE_AD_CLIENT_ID • AZURE_AD_CLIENT_SECRET • AZURE_AD_TENANT_ID Redirect URI: https://www.zrgmineral.com/api/auth/sso/callback After deployment, the sign-in page shows "Sign in with Microsoft". Map Entra groups to ZRG roles in your onboarding call.

2. SAML 2.0 Service Provider

Set SAML_IDP_CERT, SAML_ENTRY_POINT, SAML_ISSUER and SAML_CALLBACK_URL. Provide ZRG with your IdP metadata. ACS URL: /api/auth/saml/acs Test with a staging Entra or Okta app before production cutover.

3. SCIM 2.0 provisioning

Set SCIM_BEARER_TOKEN (rotate quarterly) and SCIM_ORG_ACCOUNT_ID (your ZRG billing account ID). Endpoint base: https://www.zrgmineral.com/api/scim/v2 Supported: Users create/update/deactivate. Group sync: contact support for enterprise tier.

4. Verification checklist

□ Test login from corporate network □ Confirm role assignment (owner/admin/member) □ Verify portfolio isolation between accounts □ Export audit trail CSV from Enterprise Security page □ Configure alert webhooks (Slack/Teams URL in terminal settings)

SCIM currently supports single-org provisioning (SCIM_ORG_ACCOUNT_ID). Multi-tenant SCIM is on the enterprise roadmap.