Setting Up SSO

Overview

Nutan supports enterprise Single Sign-On (SSO) out of the box. Your team can sign into Nutan using your existing identity provider — no separate passwords to manage.

Supported Protocols

• SAML 2.0 — Works with Okta, Azure AD, OneLogin, PingFederate, and any SAML 2.0-compliant identity provider.
• Standards-based identity federation — Works with Google Workspace, Azure AD, Auth0, and other identity providers.
• Google OAuth — Available as a default sign-in option for all users.

How Authentication Works

Nutan uses a secure, modern authentication flow:

1. User clicks "Get Started" in the Nutan desktop app.
2. System browser opens to the Nutan authentication page. Nutan never handles passwords directly.
3. User authenticates with their identity provider (Google, Okta, Azure AD, etc.).
4. Secure callback — After authentication, a secure deep link routes the session back to the desktop app.
5. Token exchange — The app exchanges a one-time code for access and refresh tokens via a secure API call. The exchange code expires in 60 seconds.
6. Tokens stored securely — Access and refresh tokens are stored in the operating system's secure keychain, never in files or databases.

Setting Up SSO for Your Organization

Step 1 — Contact Us

SSO is on the roadmap. Reach out via the AI chat widget when you're ready to pilot — we'll flag your account as needing SSO the moment the feature ships.

Step 2 — Configure Your Identity Provider

We'll provide you with:

• ACS URL (Assertion Consumer Service URL) for SAML
• Entity ID / Audience URI
• Redirect URI for OIDC

You'll configure these in your identity provider (Okta, Azure AD, etc.) and provide us with:

• SAML: Metadata URL or XML, or the IdP SSO URL + certificate
• OIDC: Client ID and Client Secret from your provider

Step 3 — Test the Connection

Once configured, we'll enable SSO for your domain. Any user with an email address on your domain will automatically be routed through your identity provider when they sign in.

Step 4 — Roll Out to Your Team

Share the Nutan desktop app with your team. When they click "Get Started," they'll be automatically directed to your organization's SSO login. On first login, Nutan auto-provisions their account — no admin setup required per user.

Auto-Provisioning

Nutan uses a product-led growth model. When a user signs in via SSO for the first time:

• A user account is created automatically.
• If their email domain matches an existing company, they're added to that company.
• If not, a new company workspace is created.
• GDPR consent is recorded automatically at first login.

No manual user provisioning is needed. Directory sync support is planned for teams that need automated deprovisioning.

Token Security

• Access tokens are short-lived and cryptographically verified.
• Refresh tokens are used to obtain new access tokens without re-authentication.
• All tokens are stored in the OS keychain — the most secure storage available on the device.
• Tokens are refreshed automatically with a 5-minute buffer before expiry.
• If refresh fails, the user is signed out and must re-authenticate.

Session Management

• Users remain signed in as long as their refresh token is valid.
• Signing out clears all tokens from the keychain.
• Admins can revoke sessions from their identity provider, which will take effect at the next token refresh.

Questions?

SSO is on the roadmap — ping us via the AI chat widget and we'll notify you when it's live.