All Collections
Admin Questions
SAML based SSO & Reduct
SAML based SSO & Reduct

Reduct supports SSO via SAML 2.0 as a Service Provider. It works with any compatible Identity Provider, such as Okta, OneLogin, Azure, etc.

Updated over a week ago

Implementing SSO is quick, easy and painless. Contact us to get started.


How is access managed with SSO?

All access is managed from within Reduct as usual. Users must be invited to a project or workspace to access any content, and signing in with SSO does not grant any access by itself.

Does Reduct support just-in-time provisioning?

No, users must sign up or be invited from within Reduct to use the platform. SSO is only used for authentication, and does not grant access to the content in a workspace.

Can there be a mix of SSO and non-SSO accounts?

SSO is configured by domain, and enforced for all users with an email address at that domain. You can invite others (such as guests or contractors) with a different email domain, and they won’t be subject to SSO.

What SAML attributes does Reduct support?

Reduct currently uses only the NameID (email), but you’re encouraged to provide a full name, short (first) name, and profile image URL. There’s no spec for these attributes yet, but they may be used in the future.

Can I limit access to a specific domain?

A workspace may optionally be associated with a domain, which can be used to restrict who can access or join a project, or who can view a published reel.

What happens if I can’t log in?

You can contact for any problems with your login or SSO configuration.

Configuration details

Configure your Identity Provider using Reduct’s Service Provider configuration XML, located here:

Or manually, as follows:

It’s best if your IdP is configured to allow all users to access the app. Users must be added from within Reduct to have access to content and use paid seats. Once they’re invited, though, your IdP should allow them access.

OneLogin example

Okta example

Did this answer your question?