Enterprise setup
SSO & SCIM configuration guide
Last updated: June 2026
Step-by-step for IT administrators enabling Microsoft Entra ID (OIDC), SAML 2.0 or SCIM provisioning. Configuration is per-tenant via environment variables — contact ZRG for assisted onboarding.
1. Microsoft Entra ID (OIDC) — recommended
Set in Vercel/hosting environment: • AZURE_AD_CLIENT_ID • AZURE_AD_CLIENT_SECRET • AZURE_AD_TENANT_ID Redirect URI: https://www.zrgmineral.com/api/auth/sso/callback After deployment, the sign-in page shows "Sign in with Microsoft". Map Entra groups to ZRG roles in your onboarding call.
2. SAML 2.0 Service Provider
Set SAML_IDP_CERT, SAML_ENTRY_POINT, SAML_ISSUER and SAML_CALLBACK_URL. Provide ZRG with your IdP metadata. ACS URL: /api/auth/saml/acs Test with a staging Entra or Okta app before production cutover.
3. SCIM 2.0 provisioning
Set SCIM_BEARER_TOKEN (rotate quarterly) and SCIM_ORG_ACCOUNT_ID (your ZRG billing account ID). Endpoint base: https://www.zrgmineral.com/api/scim/v2 Supported: Users create/update/deactivate. Group sync: contact support for enterprise tier.
4. Verification checklist
□ Test login from corporate network □ Confirm role assignment (owner/admin/member) □ Verify portfolio isolation between accounts □ Export audit trail CSV from Enterprise Security page □ Configure alert webhooks (Slack/Teams URL in terminal settings)
SCIM currently supports single-org provisioning (SCIM_ORG_ACCOUNT_ID). Multi-tenant SCIM is on the enterprise roadmap.