Skip to main content
MagOneAI gives your users a fast, secure path into the platform — single sign-on through your existing identity provider, multi-factor authentication for an extra layer of protection, and hardened session handling behind the scenes. This page explains how each piece works and what you, as an administrator, need to configure.

Single sign-on (SSO)

MagOneAI implements single sign-on with OpenID Connect (OIDC). Your users authenticate with the identity provider your organization already trusts, and MagOneAI never sees their password.

Supported identity providers

Microsoft Entra ID

Sign in with your Microsoft Entra ID (Azure AD) tenant.

Google Workspace

Use your Google Workspace accounts for sign-in.

Oracle IDCS

Connect Oracle Identity Cloud Service (IDCS).

Configuring a provider

Configuring an SSO provider is an org owner task. You’ll need the client ID and client secret issued by your identity provider.
As an org owner, you configure SSO with four pieces of information:
SettingDescription
Display nameA friendly name shown to users on the login screen.
Client IDThe client (application) ID issued by your identity provider.
Client secretThe client secret issued by your identity provider.
Allowed email domainsThe email domains that route to your organization (for example, acme.com).
Endpoint discovery is automatic. You don’t hand-enter authorization, token, or key URLs — MagOneAI discovers them from your provider.
Each email domain maps to exactly one organization. A domain claimed by your organization cannot be claimed by another, so coordinate domain ownership before you configure SSO.

The login flow

1

User enters their email

On the login screen, the user types their work email address.
2

MagOneAI detects the SSO provider

The platform matches the email domain to your organization and finds its configured SSO provider.
3

Redirect to the identity provider

The user is redirected to your identity provider to authenticate.
4

The user authenticates

The user signs in with their identity provider using whatever policies you’ve set there (including the provider’s own MFA, if enabled).
5

Return signed in

The user is returned to MagOneAI, now signed in.

Automatic provisioning

A user’s MagOneAI account is created automatically on their first successful SSO login. There’s no separate account-creation step — the first sign-in does it.
Users can be added to your organization — and to configured projects — automatically, based on their group membership in your identity provider. This lets you manage MagOneAI access from the same groups you already maintain in your IdP.

How SSO is kept secure

  • CSRF and replay protection — Login state and one-time codes prevent cross-site request forgery and replay of an intercepted sign-in.
  • Token signature verification — The identity provider’s token signature is verified before the user is trusted.
  • Verified email required — The email must be marked as verified by the identity provider.
  • Secrets in the vault — Your client ID and client secret are stored in the secrets vault, never in the database. See Secrets management.
Once a user signs in via SSO, SSO becomes their sign-in method — they cannot use password login afterward.

Multi-factor authentication (MFA)

For users who sign in with a password, MagOneAI adds a second factor using time-based one-time passwords (TOTP) from any standard authenticator app.

How users enroll

1

Start enrollment

The user begins MFA enrollment from their account.
2

Scan the QR code

The user scans the displayed QR code with any standard authenticator app (such as the one they already use for other services).
3

Confirm the code

The user enters a code from their app to confirm enrollment.

The MFA challenge

After a correct password, the user completes an MFA challenge — entering the current code from their authenticator app — before they’re fully signed in.
Repeated failed attempts trigger a temporary lockout to slow down guessing.

Enforcing MFA

An organization can enforce an MFA policy that requires its members to enroll. When the policy is in effect, members must set up MFA before they can continue using the platform.
Backup and recovery codes are not currently available. If a user loses access to their authenticator device, they cannot recover MFA on their own — a platform superadmin must intervene.
A platform superadmin can reset or disable MFA for a user, for example when a user has lost their authenticator device. See the Admin Portal.

Session and token handling

You don’t need to configure session handling — it’s built in — but it’s useful to understand how MagOneAI keeps a signed-in session safe.
  • Secure, HTTP-only cookies — Sessions use signed tokens stored in secure, HTTP-only cookies, so they aren’t exposed to scripts running on the page.
  • Short-lived access tokens — A short-lived access token (about 60 minutes) is paired with a longer refresh token (about 7 days).
  • Rotating refresh tokens — Refresh tokens rotate on each refresh and are revoked on logout, so a stolen old token stops working.
  • CSRF protection — Cross-site request forgery protection is enforced on requests that change state.
  • Rate limiting — Sign-in, sign-up, and email-verification requests are rate-limited to resist brute-force attempts.

Next steps

Security overview

See how authentication fits into MagOneAI’s defense-in-depth model

Roles and permissions

Understand the roles users get once they’re signed in

Secrets and Vault

Learn where SSO credentials are stored and protected

Admin Portal

Manage users, MFA resets, and platform-wide settings