# Single Sign-On (SSO)

Curiosity Workspace supports Single Sign-On (SSO) to allow users to log in using their existing corporate accounts. This simplifies user management and enhances security by leveraging established identity providers.

# Supported Providers

Curiosity supports the following SSO providers:

• Google Sign-In
• Microsoft Azure AD
• Okta
• Auth0

# General Configuration

To configure SSO, you typically need to:

1. Register an application with your identity provider.
2. Configure the Redirect URI in the identity provider's settings.
3. Provide the generated credentials (e.g., Client ID, Client Secret) to Curiosity Workspace under Manage > Settings > Accounts > Single Sign-On.

# Redirect URI Format

The redirect URI generally follows this pattern: {workspace-url}/api/{provider-type}/completed-login-attempt

For example, for Microsoft SSO: https://your-workspace.curiosity.ai/api/microsoftsso/completed-login-attempt

# Session Management

• Session Duration: Configure how long a user session remains active before requiring re-authentication.
• Inactivity Timeout: Automatically log out users after a period of inactivity to enhance security on shared devices.
• Token Rotation: Ensure that refresh tokens are rotated regularly to minimize the impact of token theft.

# Security Recommendations

• Enforce MFA: Always enable Multi-Factor Authentication (MFA) on your identity provider.
• Use HTTPS: Ensure your workspace is only accessible over HTTPS to protect authentication tokens in transit.
• Audit Logs: Regularly review login activity and authentication logs in the Monitoring section.
• Least Privilege: Map SSO groups to the most restrictive workspace roles that still allow users to perform their tasks.