This guide explains how to configure Enterprise SSO in FoxPlan for:

• SAML v2
• OIDC (OpenID Connect)
• Google (OIDC)
• Microsoft (OIDC / Azure AD)

Where to Configure SSO in FoxPlan #

SSO is configured per enterprise:

1. Log in as an Enterprise Administrator.
2. Go to Settings → FoxPlan Account.
3. Open the Enterprise SSO tab.
4. Click Add SSO configuration.

How Login Works #

On the login page, users enter their email and click Next. FoxPlan then:

1. Finds the enterprise linked to the email.
2. If multiple enterprises are found, the user selects one.
3. Shows the available SSO options for that enterprise.
4. If no enterprise SSO exists, standard login and default SSO options (Google/Microsoft/Atlassian) remain available.

1) OIDC (OpenID Connect) – Generic #

Use this for any OIDC‑compatible provider (Okta, Keycloak, Auth0, etc.).

Identity Provider (IdP) Setup #

1. Create a new OIDC application (Web type).
2. Set the redirect/callback URL to:

   https://app.fox-plan.com/login/oauth2/code/{registrationId}

3. Save and copy the following values:
   • Client ID
   • Client Secret
   • Issuer URI (OIDC discovery endpoint base)

FoxPlan Configuration #

1. Provider: Custom OIDC
2. Display name: e.g., “Sign in with Company SSO”
3. Client ID / Client Secret
4. Issuer URI (required)
5. Scopes: openid,profile,email
6. User name attribute: sub (or email if preferred)
7. Enable the configuration

Notes #

• OIDC endpoints (/authorize, /token, /userinfo, /keys) are automatically discovered from the Issuer URI.
• If your provider does not support discovery, use the “Advanced configuration” fields.

2) Google (OIDC) #

Google SSO uses standard OIDC.

Google Cloud Setup #

1. In Google Cloud Console, create OAuth Client ID (Web).
2. Authorized redirect URI:

   https://app.fox-plan.com/login/oauth2/code/{registrationId}

3. Copy:
   • Client ID
   • Client Secret

FoxPlan Configuration #

1. Provider: Google
2. Display name: “Sign in with Google”
3. Client ID / Client Secret
4. Issuer URI: https://accounts.google.com
5. Scopes: openid,profile,email
6. User name attribute: sub
7. Enable the configuration

3) Microsoft (OIDC / Azure AD) #

Microsoft SSO uses OIDC and Azure AD.

Azure AD Setup #

1. Azure Portal → App registrations → New registration (Web).
2. Redirect URI:

   https://app.fox-plan.com/login/oauth2/code/{registrationId}

3. Copy:
   • Client ID (Application ID)
   • Client Secret
   • Tenant ID (if using a specific tenant)

FoxPlan Configuration #

1. Provider: Microsoft
2. Display name: “Sign in with Microsoft”
3. Client ID / Client Secret
4. Issuer URI:

   https://login.microsoftonline.com/{tenantId}/v2.0

5. Scopes: openid,profile,email
6. User name attribute: sub
7. Enable the configuration

4) SAML v2 #

Use SAML when the IdP does not support OIDC or when your organization uses SAML policies.

IdP Setup #

1. Create a new SAML application in your IdP.
2. Set the ACS / Assertion Consumer Service URL:

   https://app.fox-plan.com/login/saml2/sso/{registrationId}

3. Set the Audience / Entity ID (SP Entity ID):

   https://app.fox-plan.com/saml2/service-provider-metadata/{registrationId}

4. Download or copy the IdP metadata (URL or XML), or the IdP SSO URL + certificate.

FoxPlan Configuration #

1. Provider: SAML 2.0
2. Display name: “Sign in with SAML”
3. Entity ID (IdP Entity ID)
4. Provide either:
   • Metadata URL, or
   • Metadata XML, or
   • SSO URL + X.509 Certificate
5. Binding: POST (recommended)
6. Email / First name / Last name attributes (match IdP claims)
7. Enable the configuration

Important Notes #

• registrationId format: {enterpriseId}-{provider}
• Each enterprise has its own SSO configuration and policies.
• MFA is enforced by your IdP, not by FoxPlan.
• If SSO is enabled for an enterprise, users will see it after entering their email on the login page.

Troubleshooting #

• Make sure the redirect URI matches exactly.
• Ensure the SSO configuration is enabled in FoxPlan.
• Check that the user email belongs to the correct enterprise.
• For SAML, verify metadata and certificate are correct and not expired.