Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.synq.io/llms.txt

Use this file to discover all available pages before exploring further.

Single Sign-On (SSO) lets your team sign in to Coalesce Quality using your organization’s identity provider (IdP) — such as Microsoft Entra ID (Azure AD), Okta, Google Workspace, or any provider that supports SAML 2.0 or OpenID Connect (OIDC). Authentication is handled by your IdP, so users never need a separate Coalesce Quality password, and you keep central control over access, password policy, and offboarding.
SSO is an enterprise feature. Connections are set up together with our team — reach out to your Coalesce contact or email support@synq.io to start.

How SSO works at Coalesce

Coalesce Quality uses Auth0 as its authentication layer. Setting up SSO is a short, guided exchange between you and our team:
1

Create an app in your identity provider

Register Coalesce Quality as an application (sometimes called an “enterprise app”, “integration”, or “relying party”) in your IdP.
2

Exchange connection details

We give you the Coalesce Quality URL to add to your app, and you send us your app’s connection details in return.
3

We configure the connection

Our team creates the enterprise connection on the Coalesce Quality side and links it to your workspace.
4

Test and enforce

You verify a test login, then we enable SSO for your workspace.

Before you begin

  • Administrator access to your identity provider — you need to be able to create applications and assign users in your IdP.
  • An enterprise plan with SSO enabled. Contact your Coalesce account team if you’re unsure whether it’s enabled.
  • Your region — Coalesce Quality is deployed in two regions. Note which one your workspace uses: when you register an OAuth/OIDC app you’ll enter its callback URL as the redirect URI. (For SAML connections, Coalesce gives you a connection-specific ACS URL based on this.)
    RegionApp URLCallback URL
    EU (default)https://app.synq.iohttps://teamcoalesce.eu.auth0.com/login/callback
    UShttps://app.us.synq.iohttps://teamcoalesce.us.auth0.com/login/callback

Step 1: Connect your identity provider

Select your identity provider below and follow its instructions end to end. Each one lists what you’ll need, the steps to perform in your IdP, and what to send back to us. The generic SAML 2.0 and OIDC tabs cover any provider not listed — including Ping Identity, ADFS, OneLogin, and JumpCloud (see Other identity providers).
What you need: the Redirect URI for your region.Steps:
  1. In the Microsoft Entra admin center, go to Identity → Applications → App registrations → New registration.
  2. Give it a name, choose the supported account types for your organization, and add the Redirect URI (platform Web) for your region.
  3. Under Certificates & secrets, create a new client secret and copy its value immediately — it can’t be viewed again later.
  4. Under API permissions, make sure User.Read is granted and grant admin consent. Add Directory.Read.All only if you need group or extended attributes.
  5. Assign the users or groups who should have access.
What you send:
  • Application (client) ID
  • Client secret
  • Your Microsoft Entra (Azure AD) domain
Send the client secret over a secure channel — a secrets manager, or a 1Password shared item or one-time link — never plain email or chat. The client ID, domain, and SAML metadata aren’t sensitive and can be shared normally.

Step 2: Map user attributes

Coalesce Quality identifies users by their email address and uses their name for display. Make sure your IdP sends these claims:
AttributeRequiredNotes
EmailYesUsed as the unique user identifier. For SAML, this is typically the Name ID or an email attribute.
NameRecommendedUsed for display. Send a full name, or first name and last name.
For OIDC, requesting the openid, profile, and email scopes covers these claims.

Step 3: Test and enforce SSO

  1. Once we’ve configured the connection, we share a test login link (or you sign in from the configured app).
  2. Confirm you’re redirected to your IdP, authenticate, and land in your Coalesce Quality workspace.
  3. When the test succeeds, we enable SSO for your workspace.
Test with a real account from your IdP before rolling SSO out to your whole team. If attribute mapping is wrong, sign-in will fail or create users with missing details.

User provisioning and roles

New users are provisioned automatically the first time they sign in through SSO (just-in-time provisioning). A newly provisioned user is assigned the Business User role, which has the most limited permissions — see User roles for what each role can do.
We recommend inviting users through the app UI and assigning their role before they sign in for the first time. Otherwise they land with the limited permissions of a Business User until an admin updates their role on the Team page.

Troubleshooting

Usually the URL you entered in your IdP doesn’t exactly match the one Coalesce provided. Re-check it for your region and that there are no trailing spaces.
For OAuth/OIDC connections (Entra ID, Okta, Google Workspace), the client secret has likely expired — Microsoft Entra secrets expire by default. Generate a new client secret in your IdP and send the new value to Coalesce.
The X.509 signing certificate Coalesce has doesn’t match the one your IdP is using — often after a certificate rotation. Send us your updated metadata so we can refresh the connection.
Check your attribute / claim mapping in Map user attributes. The email claim must be present and must be the address you expect to identify the user by.
Make sure the URLs and identifier you entered match your workspace’s region (app.synq.io for EU, app.us.synq.io for US). Values from the other region won’t work.

Other identity providers

Coalesce Quality works with any identity provider that supports SAML 2.0 or OpenID Connect, even if it isn’t listed in Step 1:
  • Ping Identity (PingOne / PingFederate) and ADFS — both support SAML 2.0 and OIDC. Create the application in your provider and follow the generic SAML 2.0 (other) or OIDC (other) instructions in Step 1.
  • On-premises Active Directory / LDAP — supported, but requires additional setup beyond the standard cloud flow. Contact support@synq.io to connect an on-premises directory.
If you’re not sure whether your provider is supported, reach out to support@synq.io.