Which identity providers does Cosmo SSO support?

Cosmo supports Okta, Auth0, Keycloak, Microsoft Entra, and any OIDC-compliant identity provider. Dedicated setup guides are available for Okta, Auth0, Keycloak, and Microsoft Entra.

Which plan is SSO available on?

SSO requires the Enterprise plan.

How does Cosmo assign roles to SSO users?

Roles are based on mappings you configure during SSO setup. Identity provider groups or attributes are mapped to Cosmo groups. Users receive the mapped roles when they sign in.

What happens when a user logs in via SSO for the first time?

Cosmo automatically enrolls the user in your organization and assigns roles based on your configured mappings. No manual invitation or account creation is required.

What happens if I disconnect SSO?

All users who authenticated via SSO are logged out and downgraded to the viewer role. This is a deliberate security measure. After reconnecting, the Login URL changes, and users receive their configured roles on next sign-in.

Single Sign-On (SSO) for GraphQL | OIDC Integration | Cosmo by WunderGraph

Q: Can I connect more than one OIDC provider to the same organization?

Yes. You can connect multiple OIDC providers. Each connected app is a separate login method with its own Login URL and role mappings.

The problem

Authentication sprawl creates security gaps

Every tool with its own credentials is a gap in your security posture. Separate user directories mean delayed offboarding, inconsistent access, and audit trails that don't connect.

Separate credentials for every tool

Each system has its own login. Employees manage multiple passwords. IT manages multiple user directories. Security teams audit multiple access systems.

Onboarding and offboarding are manual

New employees need accounts in each tool individually. When someone leaves, access must be revoked in every system — manually, and without a reliable checklist.

Role assignments get out of sync

When your identity provider says someone is a team lead but their Cosmo role says developer, one of them is wrong. Manual updates lag behind org changes.

Our solution

One identity provider, one source of truth

Cosmo connects to your OIDC identity provider. Users sign in with existing credentials. Role assignments come from your IdP mappings. When someone leaves the organization, removing them from the IdP removes their Cosmo access.

How SSO enrollment works

Configure your OIDC provider in Cosmo — Okta, Auth0, Keycloak, Microsoft Entra, or any OIDC-compliant system.
Set up role mappings: map identity provider groups or attributes to Cosmo roles.
Copy the generated Login URL and share it with your team.
Users sign in via the Login URL and encounter the "Login with SSO" option on first use.
Cosmo enrolls the user automatically and assigns roles based on your configured mappings.
If you disconnect SSO, all SSO-authenticated users are downgraded to viewer as a security measure.

Your IdP is the source of truth. Cosmo stays in sync automatically.

Single Sign-On

Before & After

Before Cosmo	With Cosmo
Separate credentials per tool	Single sign-on with existing identity provider credentials
Manual user provisioning for each new hire	Automatic enrollment on first SSO sign-in
Role management disconnected from IdP	Roles assigned from identity provider mappings
No security action when SSO is removed	Automatic downgrade to viewer on SSO disconnect

Supported providers

Works with your existing IdP

Okta
Auth0
Keycloak
Microsoft Entra
Any OIDC-compliant provider

Dedicated setup guides are available for Okta, Auth0, Keycloak, and Microsoft Entra. Any other OIDC-compliant provider can be configured manually.

How Cosmo SSO works

01

OIDC-compliant providers.

Configure

Set up your OIDC provider in Cosmo Studio. Follow the dedicated guides for Okta, Auth0, Keycloak, or Microsoft Entra, or enter your credentials manually for any other OIDC-compliant provider.

02

IdP-driven roles.

Map roles

Define role mappings during setup. Map identity provider groups or attributes to Cosmo groups. Users receive the roles you specify when they sign in.

03

Unique per integration.

Share the URL

Cosmo generates a unique Login URL for each SSO integration. Share it with your team. After their first login, users can sign in normally without the URL.

04

Automatic access downgrade.

Stay secure

Disconnecting SSO automatically downgrades all SSO-authenticated users to the viewer role. This prevents unauthorized access if your IdP connection is disrupted.

What's included

Enterprise identity, built into Cosmo

Enterprise plan only.

Automatic user enrollment

Users are enrolled in your organization the first time they sign in via SSO. No manual invitation required. No separate account creation step.

Role mapping from your IdP

Configure mappings during setup to assign Cosmo groups based on identity provider attributes. Roles are consistent with what your authorization server says.

Multiple OIDC providers

Connect more than one OIDC provider to the same organization. Each connected app is a separate login method with its own Login URL and role mappings.

Security-first disconnect

Disconnecting SSO logs out all SSO users and downgrades them to viewer. Access is never left in an uncontrolled state when the identity provider connection changes.

Connect your identity provider to Cosmo

SSO is available on the Enterprise plan. Talk to us to get started.

Talk to Sales Read the Docs

Let your identity provider manage Cosmo access