SSO & Enterprise Auth
Authentication · 20 articles
Authorization flow issues
Authorization flow problems usually stem from mismatched Redirect URIs, incorrect Issuer URLs, or provider credentials. Double-check that your Redirect URI, Client ID, and Client Secret are correct in both Lovable and your SSO provider. Clear browser cookies and try a fresh login. Test with Plan mode to identify the exact failure point.
Can I enforce SSO for my workspace?
Enterprise plans can enforce SSO for the entire workspace, blocking non-SSO login methods. This setting must be configured by your workspace admin or support team. Once enforced, all workspace members must authenticate via your SSO provider. Contact [email protected] to enable SSO enforcement for your Enterprise workspace.
Can I use SCIM without SSO?
No, SCIM (System for Cross-domain Identity Management) is used in conjunction with SSO to automate user provisioning and deprovisioning. You must have SSO configured first. SCIM syncs user data and group memberships from your identity provider automatically, but it requires an active SSO connection.
Does Lovable support IdP-initiated SSO?
Yes, Lovable supports IdP-initiated SSO, allowing users to start their login from your identity provider's dashboard. This requires proper ACS URL and audience configuration in your SAML provider. IdP-initiated flows are especially useful for Enterprise users who access apps from a central identity portal.
Does Lovable support SCIM or automatic user provisioning?
Yes, Lovable Enterprise plans support SCIM (System for Cross-domain Identity Management) for automatic user provisioning and deprovisioning. SCIM syncs user accounts, group memberships, and role assignments from your identity provider in real-time. Contact [email protected] to enable SCIM for your workspace.
Does Lovable support just-in-time (JIT) provisioning with SSO?
Yes, Lovable supports JIT provisioning, which automatically creates user accounts on their first SSO login. No pre-provisioning step needed. The user's email and basic profile data are captured from the SSO provider during first login. JIT is ideal for teams with frequent user changes and simplifies admin overhead.
Does Lovable support multiple SSO providers per workspace?
Currently, Lovable supports one SSO provider per workspace. If you need to support multiple providers (e.g., Okta for some teams, Azure AD for others), contact your Enterprise account manager to discuss options. For smaller organizations, consider consolidating identity management in a single provider.
Email claim missing
Your SSO provider must be configured to include the email claim in its token response. In your provider's configuration (Okta, Azure AD, etc.), ensure the email attribute is mapped to the email claim. Without it, Lovable cannot create user accounts. Check your SSO provider's attribute mapping or claims configuration.
How can I edit my SSO provider configuration?
Workspace admins can edit SSO configuration in workspace settings. Navigate to Settings → Security → SSO Provider, then update Client ID, Client Secret, Issuer URL, or other credentials. Changes take effect immediately for new logins. For Redirect URI changes, update both Lovable and your SSO provider simultaneously. Contact [email protected] for assistance.
Invalid ACS or Audience
ACS (Assertion Consumer Service) URL and Audience must match Lovable's SSO configuration exactly. Find these values in your Lovable workspace settings and paste them (without modification) into your SAML identity provider. These are case-sensitive and must include the full URL. Contact [email protected] if values differ from documentation.
Invalid or mismatched Redirect URI
This error means the redirect URL from your SSO provider doesn't match Lovable's configuration. Copy the exact Redirect URI from your Lovable workspace settings (found in SSO setup) and paste it into your SSO provider's configuration. Common mistake: forgetting https:// or including/excluding trailing slashes.
Issuer URL / discovery fails
Verify that your Issuer URL is correct and publicly accessible. Most providers (Okta, Azure AD) have their issuer listed in their admin console — copy it exactly. Ensure your Lovable workspace can reach the issuer endpoint. Test by pasting the issuer URL in your browser; it should return a JSON discovery document.
Provider credentials invalid
Verify that your Client ID and Client Secret (or equivalent credentials) are correct and haven't expired. Copy them directly from your SSO provider's admin console — typos are common. Some providers rotate credentials; if recently changed in your provider, update them in Lovable too. Contact [email protected] if credentials are confirmed correct.
Redirect URI mismatch
Redirect URI mismatches occur when the OAuth callback URL in your authentication provider (like Google Cloud Console or Supabase) doesn't match what's configured in your app. Ensure the redirect URL includes the full path (e.g., http://localhost:3000/auth/callback for local dev) and matches exactly in Supabase Authentication → URL Configuration. For deployed apps, add both your local dev URL and production URL to the redirect URLs list.
Role mappings are not being applied
Role mappings sync from your SSO provider (Okta, Azure AD, etc.) based on group or claim configurations. Verify in your SSO provider's dashboard that users are assigned to the correct groups, and check that Lovable's role mapping rules match your group names exactly. Re-test with a fresh user login to see if roles apply.
Should I use SCIM or just-in-time (JIT) provisioning?
SCIM is better for large teams where you want to automatically sync all users and group changes from your provider in real-time. JIT provisioning is simpler and automatically creates users on first login. For Enterprise, SCIM is recommended. For smaller teams, JIT is often sufficient. Both require SSO to be enabled.
What happens if a user belongs to multiple mapped groups?
If a user is in multiple groups with different role mappings, Lovable applies the highest privilege level. For example, if a user is in both 'Editor' and 'Admin' groups, they receive Admin access. This is by design to ensure users have the access needed for their most permissive group.
What happens to existing users when I enable SCIM?
When you enable SCIM on your workspace, existing manually-added users are not automatically migrated. Going forward, SCIM will manage new user provisioning. Existing users remain active. It's recommended to disable manual user management once SCIM is live to avoid duplicates and confusion. Review your user list before switching.
Which SSO providers does Lovable support?
Lovable supports any SAML 2.0-compliant provider, including Okta, Azure AD (Entra ID), Google Workspace, Salesforce, OneLogin, and others. OAuth providers like Google and GitHub are also supported for basic login. For Enterprise deployments, contact [email protected] to confirm your specific provider is tested and supported.
Why am I seeing a redirect URI mismatch error?
This error means the OAuth callback URL your provider is trying to send the user to doesn't match any of the allowed redirect URIs you've configured. Check two things: (1) The exact URL in your browser matches one of your configured URIs in Supabase Authentication → URL Configuration, and (2) For local dev, ensure you've included http://localhost:3000 and /auth/callback. Trailing slashes and https/http must match exactly.
