SSO & Enterprise Auth
Authentication · 4 articles
Invalid ACS or Audience
ACS (Assertion Consumer Service) URL and Audience must match Lovable's SSO configuration exactly. Find these values in your Lovable workspace settings and paste them (without modification) into your SAML identity provider. These are case-sensitive and must include the full URL. Contact support@lovable.dev if values differ from documentation.
Redirect URI mismatch
Redirect URI mismatches occur when the OAuth callback URL in your authentication provider (like Google Cloud Console or Supabase) doesn't match what's configured in your app. Ensure the redirect URL includes the full path (e.g., http://localhost:3000/auth/callback for local dev) and matches exactly in Supabase Authentication → URL Configuration. For deployed apps, add both your local dev URL and production URL to the redirect URLs list.
Role mappings are not being applied
Role mappings sync from your SSO provider (Okta, Azure AD, etc.) based on group or claim configurations. Verify in your SSO provider's dashboard that users are assigned to the correct groups, and check that Lovable's role mapping rules match your group names exactly. Re-test with a fresh user login to see if roles apply.
Which SSO providers does Lovable support?
Lovable supports any SAML 2.0-compliant provider, including Okta, Azure AD (Entra ID), Google Workspace, Salesforce, OneLogin, and others. OAuth providers like Google and GitHub are also supported for basic login. For Enterprise deployments, contact support@lovable.dev to confirm your specific provider is tested and supported.