Skip to main content
Collabase supports multiple authentication methods so users can sign in with their existing corporate credentials. You configure identity providers under Settings → Identity Providers. Supported provider types:

OAuth 2.0

Social and enterprise OAuth providers: Google, GitHub, Microsoft, Okta, and Keycloak.

LDAP / Active Directory

LDAP authentication and automatic directory sync for on-premises identity stores.

SAML 2.0

SAML-based single sign-on with any SAML 2.0 compliant identity provider.
After you enable an identity provider, users see a Sign in with [provider] button on the login page.

OAuth 2.0 providers

Collabase supports the following OAuth 2.0 providers out of the box:

Keycloak

Okta
ProviderNotes
GoogleStandard Google OAuth. Works for both personal and Workspace accounts.
GitHubGitHub OAuth App. Requires creating an OAuth App in your GitHub organisation.
MicrosoftMicrosoft / Azure AD OAuth. Works with personal accounts and Entra tenants.
OktaRequires your Okta organisation domain URL.
KeycloakRequires your Keycloak realm issuer URL.

Configuring an OAuth provider

1

Create an OAuth application in your provider

Register a new OAuth app in your identity provider’s developer console. You will need to supply a redirect URI (callback URL).The callback URL for Collabase is:
https://your-collabase-domain/api/auth/callback/<provider>
For example, for Google: https://app.example.com/api/auth/callback/google
2

Copy your Client ID and Client Secret

Your provider will give you a Client ID and Client Secret once you create the app.
3

Open Settings → Identity Providers

Click the provider card (Google, GitHub, Microsoft, Okta, or Keycloak) in the Add Identity Provider section.
4

Enter your credentials

Paste the Client ID and Client Secret. For Okta, enter your Okta domain URL. For Keycloak, enter the full realm issuer URL including /realms/<realm-name>.
5

Set the default role

Choose the global role (Viewer, Collaborator, or Admin) that new users created through this provider will receive.
6

Enable the provider and save

Toggle the provider to Enabled and click Save. The sign-in button for this provider appears on the login page immediately.
Client secrets are encrypted at rest and are never displayed again after saving. To rotate a secret, open the provider settings and enter a new secret.

LDAP / Active Directory

LDAP lets Collabase authenticate users against an on-premises or cloud LDAP server (OpenLDAP, Active Directory, FreeIPA, etc.) and periodically sync the user list. Navigate to Settings → Identity Providers and click the Active Directory / LDAP row to configure it.

What you need

FieldDescription
HostLDAP server hostname or IP address.
PortDefault 389 for plain LDAP, 636 for LDAPS (TLS).
Use TLSEnable to connect over LDAPS. Automatically switches the port to 636.
Bind DNThe distinguished name of the service account Collabase uses to bind to the directory. Example: cn=svc-collabase,ou=service-accounts,dc=example,dc=com
Bind PasswordPassword for the bind service account.
Base DNThe root of the tree to search for users. Example: ou=users,dc=example,dc=com
User Search FilterLDAP filter to select user objects. Default: (objectClass=person)
Email AttributeLDAP attribute that maps to the user’s email. Default: mail
Name AttributeLDAP attribute that maps to the user’s display name. Default: displayName
Groups AttributeLDAP attribute used for group membership. Default: memberOf
Default RoleThe global role assigned to users synced from LDAP.

Directory presets

The configuration panel includes presets to auto-fill common attribute mappings:
  • Active Directory — uses userPrincipalName for email, displayName for name, (objectClass=user) for filter.
  • OpenLDAP — uses mail for email, cn for name, (objectClass=inetOrgPerson) for filter.
Select a preset to populate the fields, then adjust as needed for your schema.

Testing the connection

Click Test Connection after filling in the server details to verify that Collabase can bind to your directory and count matching users before saving. The test result shows the number of users found or the error message if the connection fails.

Sync behaviour

When LDAP sync is enabled, Collabase periodically pulls users from the directory:
  • New users in LDAP are created in Collabase with the configured default role.
  • Existing users have their name and LDAP DN updated on each sync.
  • Users removed from LDAP (no longer matching the search filter) are disabled in Collabase.
You can also trigger a manual sync at any time by clicking Sync Now in the LDAP settings panel. The sync result shows the number of users created, updated, and disabled.
LDAP users are shown with an LDAP badge in the Directory column of the users table. Their profile fields are read-only in Collabase — changes must be made in your directory and will be reflected on the next sync.

SAML 2.0

SAML 2.0 is supported for enterprise single sign-on with identity providers such as Okta, Microsoft Entra (Azure AD), and any other SAML 2.0 compliant IdP.

What you provide to your IdP

Your identity provider needs two values to register Collabase as a service provider:
ValueFormat
ACS URL (Assertion Consumer Service)https://your-collabase-domain/api/auth/saml/callback
SP Entity IDhttps://your-collabase-domain/api/auth/saml/metadata
You can also point your IdP to the metadata URL directly: https://your-collabase-domain/api/auth/saml/metadata. Most modern IdPs can import the SP metadata automatically from this URL.

What you need from your IdP

FieldWhere to find it
IdP SSO URLThe Single Sign-On URL from your IdP. In Okta, this is the Identity Provider Single Sign-On URL. In Entra, it is the Login URL.
IdP CertificateThe X.509 certificate used by your IdP to sign assertions. Copy the PEM-encoded certificate from your IdP.
Entity IDThe IdP’s entity identifier (issuer). Usually a URL provided in your IdP’s SAML settings.

Configuring SAML

Navigate to Settings → Identity Providers and open the SAML configuration panel.
1

Enter the IdP SSO URL

Paste the Single Sign-On URL from your identity provider.
2

Enter the IdP certificate

Paste the PEM-encoded X.509 signing certificate from your IdP.
3

Set the Entity ID

Enter the IdP entity ID (issuer) exactly as your IdP presents it.
4

Enable SAML and save

Toggle SAML to Enabled and save the configuration. Users will see a Sign in with SSO button on the login page.

Attribute mapping

Collabase maps the following SAML assertion attributes to user profile fields:
Collabase fieldExpected SAML attribute
Emailemail or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Display namedisplayName or name
Configure your IdP to include these attributes in the SAML assertion.

SSO bypass policy

When SSO is the primary authentication method for your organisation, you may still need certain admin accounts to be able to log in with a password — for example, a break-glass admin account. Configure this under Settings → Security → Policies → SSO Bypass:
  • Add specific users or groups that are exempt from the SSO requirement.
  • Generate a bypass link (/auth/login?sso_bypass=1) that bypasses SSO enforcement and shows the standard email/password login form.
Keep the bypass link confidential. Any user with the link can reach the password login form.