Skip to main content

SSO and Access

StatiBeat currently supports multiple access and identity surfaces.

Organization admin authentication

The organization admin authentication page supports both:

  • OIDC
  • SAML

From the current UI, admins can configure fields including:

  • protocol selection
  • enabled toggle
  • issuer URL
  • client ID
  • client secret
  • redirect URI
  • subject, email, and groups claims for OIDC
  • SAML entity ID
  • SAML SSO URL
  • SAML signing certificate
  • SP entity ID or metadata URL
  • ACS URL

This is implemented in application/frontend/src/pages/admin/OIDCSettings.jsx.

Private-page viewer access

Separate from admin SSO, page viewers can be gated on a per-page basis.

The current page routing and viewer-access screen supports:

  • public or private visibility
  • shared viewer password
  • viewer SSO
  • shared password or viewer SSO

When viewer SSO is enabled, the current UI supports both OIDC and SAML configuration for the selected page.

Viewer auth is distinct from admin auth. Signing in as a page viewer does not grant /admin access.

Group mappings

The page-scoped SSO group-mapping UI lets admins map an identity-provider group name to:

  • built-in role keys such as page_admin, page_manager, and page_viewer
  • legacy compatibility values admin, manager, and viewer
  • custom page role keys when advanced RBAC is enabled

This is implemented in application/frontend/src/pages/admin/OIDCGroupMappings.jsx, and the Terraform provider exposes the same concept through statuspage_sso_group_mapping.

Page access management

Separate from SSO, the page access UI lets admins:

  • grant access to existing users
  • create a new user and assign a page role
  • remove page memberships
  • define and assign custom page roles when advanced RBAC is available

The UI exposes page roles directly in application/frontend/src/pages/admin/PageAccessManagement.jsx.

Plan behavior

Some access capabilities depend on workspace entitlements.

Workspaces without advanced access features use the built-in role bundles.

Workspaces with advanced RBAC and SSO-related features enabled can use extras such as:

  • custom page roles
  • custom SSO role mappings
  • viewer SSO for private pages

If a workspace loses those entitlements later, existing custom roles and SSO mappings continue to work but become read-only until the feature is re-enabled.