Skip to main content
LeaseWizard Docs

Enterprise SSO (OIDC)

Architecture and supported providers for per-organization enterprise SSO against your own IdP.

Architecture

Browser
  -> app.leasewizard.ai  (frontend)
  -> auth.leasewizard.ai/auth/sso/<your-org-slug>/start/
  -> <your IdP authorization endpoint, e.g. login.microsoftonline.com>
  -> auth.leasewizard.ai/accounts/oidc/<provider_id>/login/callback/
  -> app.leasewizard.ai   (JWT issued, user is signed in)
  • All customer-facing identity validation happens on auth.leasewizard.ai (the LeaseWizard authentication host)
  • The customer's IdP only ever redirects back to auth.leasewizard.ai — never directly to the app or to a third-party URL.
  • OAuth Authorization Code flow is used; PKCE is enabled by default; the nonce is validated; the ID token's issuer, audience, expiry, and signature are validated.

Provider support

The enterprise connection uses the standard OpenID Connect Discovery metadata document. Any OIDC-compliant IdP works, including:

  • Microsoft Entra ID (Azure AD)
  • Okta
  • Ping Identity
  • Auth0
  • Google Workspace (via a customer-owned OIDC client, different from the public Google button)

SAML 2.0 is not supported today. If SAML is a hard requirement, contact security@leasewizard.ai.

Setup journey

  1. Microsoft Entra ID setup — register the app, create a client secret, configure token permissions, and share the values with LeaseWizard.
  2. Handing over secrets — secure channels for sharing the client secret.
  3. Testing the integration — joint tests before the connection goes live.

On this page

ArchitectureProvider supportSetup journey
Enterprise SSO (OIDC) | LeaseWizard