Open /settings/sso. You'll see two sections: "Paste into your IdP" (gives you our SP details) and "Paste IdP details here" (where you give us yours).
On your IdP (Okta / Azure / Google / OneLogin / JumpCloud / Rippling), create a new SAML application with these values:
- ACS URL (POST): https://governos.co/api/saml/acs?tenant=<your-tenant-id> — the page shows the exact URL with your id pre-filled
- SP Entity ID: https://governos.co/sso/<your-tenant-id>
- NameID format: EmailAddress
- Required attributes: email, name
Then on our side: paste your IdP's Entity ID, SSO URL, and x509 cert (PEM). Save, then toggle Enabled.
What we verify on every assertion: the XML signature (RSA-SHA256) against your stored cert, the issuer matches, the NotOnOrAfter hasn't expired. Failed checks reject the assertion with no session issued.
SCIM provisioning: in the same page, click "Rotate SCIM token" to get a one-shot bearer token to paste into your IdP. We support RFC 7644 user create/update/disable.