SAML Single Sign-On (SSO)
SAML SSO lets your team sign in to Retrac with your corporate identity provider — Okta, Google Workspace, Azure AD, and others supported in the setup wizard.Set up SAML
- Go to Settings → Security.
- Under SAML Single Sign-On, click to configure.
- Choose your identity provider from the list.
- Follow the in-app steps to exchange metadata and ACS URLs with your IdP.
- Test login with a user assigned to the Retrac application in your IdP.
Remove SAML
Owners can disconnect SAML from the Security page menu. Existing password-based users retain their accounts; coordinate with your IT team before removing production SSO.SAML is included on Enterprise plans. Lower plans may see upgrade prompts when accessing SSO configuration.
SCIM provisioning
SCIM automatically creates, updates, and deprovisions users in Retrac based on your IdP directory — reducing manual invite management for large teams.Set up SCIM
- Go to Settings → Security.
- Under SCIM, generate or configure your SCIM endpoint and bearer token.
- In your IdP, enable SCIM provisioning for Retrac using the provided URL and credentials.
- Map attributes (email, name) per IdP documentation.
- Assign users or groups in the IdP to provision access.
Remove SCIM
Disconnect SCIM from the Security page when rotating credentials or decommissioning automated provisioning. Review active members afterward.Best practices
- Test in a staging IdP app before enforcing SSO on production users
- Keep at least one break-glass owner account with a non-SSO recovery path if your IdP is unavailable
- Pair SCIM with location access — provision users into Retrac, then let owners assign location permissions in Settings → Members
- Rotate SCIM tokens if credentials may have been exposed