CodeWallDocs
Settings

Authentication (SSO)

Configure single sign-on with Google, Microsoft, Okta, or any OIDC/SAML provider.

CodeWall supports enterprise SSO via OpenID Connect (OIDC) and SAML 2.0. Once configured, your team signs in with your existing identity provider — no separate passwords needed.

How it works

  1. You verify ownership of your email domain (e.g., acme.com)
  2. You connect an identity provider (Google, Microsoft, Okta, etc.)
  3. When a user enters user@acme.com on the login page, CodeWall redirects them to your IdP
  4. After authentication, the user is signed into CodeWall automatically

New users are optionally created on first login via just-in-time (JIT) provisioning.

Step 1: Verify your domain

Domain verification proves you own the email domain your team uses. This is required before SSO can be enabled.

  1. Go to Settings > Authentication
  2. In the Domains section, click Add domain
  3. Enter your email domain (e.g., acme.com)
  4. CodeWall generates a unique TXT record value like cw-verify=abc123...
  5. Add this as a TXT record in your DNS provider:
    • Host/Name: @ (or leave blank, depending on your provider)
    • Type: TXT
    • Value: the cw-verify=... string shown in CodeWall
  6. Click Verify — CodeWall checks DNS for the record

DNS changes can take a few minutes to propagate. If verification fails, wait 2-5 minutes and try again. CodeWall detects your DNS provider and offers a direct link to your DNS settings.

Step 2: Configure your identity provider

Go to Settings > Authentication and click on your provider. Each provider requires you to create an OAuth/OIDC application in their admin console and copy the credentials into CodeWall.

Google Workspace

In Google Cloud Console:

  1. Go to Google Cloud Console and select (or create) a project
  2. Navigate to APIs & Services > Credentials
  3. Click Create Credentials > OAuth client ID
  4. Select Web application as the application type
  5. Under Authorized redirect URIs, add: 
    https://app.codewall.ai/api/v1/sso/oidc/callback
  6. Click Create and note the Client ID and Client Secret

Consent screen

If this is a new project, you'll need to configure the OAuth consent screen first. Set the user type to Internal (restricts login to your Workspace domain) or External if you need broader access. Add the email, profile, and openid scopes.

In CodeWall:

  1. Click Google Workspace in the provider list
  2. Enter the Client ID and Client Secret from Google
  3. Click Save, then Test to verify the flow
  4. Click Enable once the test succeeds

Microsoft Entra ID (Azure AD)

In Microsoft Entra admin center:

  1. Go to Entra admin center > Applications > App registrations
  2. Click New registration
  3. Set Name to CodeWall SSO
  4. Under Redirect URI, select Web and enter: 
    https://app.codewall.ai/api/v1/sso/oidc/callback
  5. Click Register
  6. On the app overview page, copy the Application (client) ID and Directory (tenant) ID
  7. Go to Certificates & secrets > New client secret, create one, and copy the Value (not the Secret ID)

In CodeWall:

  1. Click Microsoft Entra ID in the provider list
  2. Enter the Tenant ID, Client ID, and Client Secret
  3. Click Save, then Test to verify the flow
  4. Click Enable once the test succeeds

If you want to restrict login to specific users or groups, go to Enterprise applications in Entra, find the CodeWall app, and set Assignment required to Yes under Properties. Then assign users or groups under Users and groups.

Okta

In the Okta admin console:

  1. Go to Applications > Create App Integration
  2. Select OIDC - OpenID Connect and Web Application, then click Next
  3. Set App integration name to CodeWall
  4. Under Sign-in redirect URIs, add: 
    https://app.codewall.ai/api/v1/sso/oidc/callback
  5. Under Assignments, choose who can access the app
  6. Click Save
  7. On the app page, copy the Client ID and Client secret
  8. Your Okta domain is the URL in your browser (e.g., your-org.okta.com)

In CodeWall:

  1. Click Okta in the provider list
  2. Enter your Okta Domain, Client ID, and Client Secret
  3. Click Save, then Test to verify the flow
  4. Click Enable once the test succeeds

Auth0

In the Auth0 dashboard:

  1. Go to Applications > Create Application
  2. Select Regular Web Applications and click Create
  3. Go to the Settings tab
  4. Under Allowed Callback URLs, add: 
    https://app.codewall.ai/api/v1/sso/oidc/callback
  5. Copy the Domain, Client ID, and Client Secret
  6. Click Save Changes

In CodeWall:

  1. Click Auth0 in the provider list
  2. Enter the Auth0 Domain, Client ID, and Client Secret
  3. Click Save, then Test to verify the flow
  4. Click Enable once the test succeeds

OneLogin

In the OneLogin admin console:

  1. Go to Applications > Add App
  2. Search for OpenId Connect and select OpenId Connect (OIDC)
  3. Set the display name to CodeWall and click Save
  4. Go to the Configuration tab and set Redirect URI to: 
    https://app.codewall.ai/api/v1/sso/oidc/callback
  5. Go to the SSO tab and copy the Client ID and Client Secret
  6. Your subdomain is the first part of your OneLogin URL (e.g., your-company from your-company.onelogin.com)

In CodeWall:

  1. Click OneLogin in the provider list
  2. Enter your Subdomain, Client ID, and Client Secret
  3. Click Save, then Test to verify the flow
  4. Click Enable once the test succeeds

Custom OIDC

For any OIDC-compliant provider not listed above:

  1. Create an OAuth/OIDC application in your IdP
  2. Set the redirect URI to: 
    https://app.codewall.ai/api/v1/sso/oidc/callback
  3. Ensure the openid, profile, and email scopes are enabled
  4. In CodeWall, click Custom OIDC and enter the Issuer URL, Client ID, and Client Secret
  5. The issuer URL must serve a /.well-known/openid-configuration document

Custom SAML

For SAML 2.0 providers:

  1. In your IdP, create a new SAML application with the following settings:
    • ACS URL (Reply URL): https://app.codewall.ai/api/v1/sso/saml/acs
    • Entity ID (Audience): https://app.codewall.ai/saml/{your-org-slug}
    • NameID format: Email
  2. Download or copy the IdP's Entity ID, SSO URL, and X.509 certificate
  3. In CodeWall, click Custom SAML and enter these three values

You can download CodeWall's SP metadata for import into your IdP at:

https://app.codewall.ai/api/v1/sso/saml/metadata/{your-org-slug}

Step 3: Enable SSO

After verifying your domain and saving the IdP configuration:

  1. Click Test to verify the login flow works end-to-end
  2. Click Enable to activate SSO for your organization

Once enabled, users with email addresses matching your verified domain are automatically redirected to your IdP when they sign in.

Configuration options

JIT (Just-In-Time) provisioning

When enabled, users are automatically created in CodeWall on their first SSO login. You can set the default role for JIT-provisioned users:

  • Viewer — read-only access
  • Member — can create and manage tests
  • Admin — full access except billing

When disabled, users must be invited by an administrator before they can sign in via SSO.

Enforce SSO

When enabled, password login is disabled for all users in your organization. This ensures everyone authenticates through your identity provider.

Break-glass access

Organization owners who originally signed up with a password retain password login even when SSO is enforced. This prevents lockout if your IdP goes down. We recommend having at least one owner account with password access as a recovery mechanism.

Troubleshooting

"Email domain is not verified for this organization"

The email address returned by your IdP doesn't match any verified domain. Verify that:

  • The domain in the user's email matches the domain you verified in CodeWall
  • The domain claim shows as Verified in Settings > Authentication

"IdP did not return a verified email address"

Your IdP returned email_verified: false (or didn't include the claim). In Google, this usually means the user's email hasn't been verified. In Okta/Auth0, ensure the email_verified claim is included in the ID token.

"OIDC token exchange failed"

The client ID, client secret, or redirect URI doesn't match what's configured in your IdP. Double-check all three values and ensure the redirect URI is exactly:

https://app.codewall.ai/api/v1/sso/oidc/callback

DNS verification not working

  • Ensure you added a TXT record (not CNAME or A)
  • The record value must be the exact cw-verify=... string, with no extra spaces or quotes
  • Some DNS providers add quotes around TXT values automatically — this is normal and handled correctly
  • DNS propagation can take up to 48 hours in rare cases, though most providers update within minutes

Users still seeing password login

SSO discovery is based on verified domains. If a user's email domain isn't verified, they'll see the password form. Verify the domain in Settings > Authentication > Domains.

Team Members

Invite and manage team members and their roles.

Credentials

Create and manage reusable gray-box test credentials, including authenticator (TOTP) and email OTP / magic-link logins.

On this page

How it worksStep 1: Verify your domainStep 2: Configure your identity providerGoogle WorkspaceMicrosoft Entra ID (Azure AD)OktaAuth0OneLoginCustom OIDCCustom SAMLStep 3: Enable SSOConfiguration optionsJIT (Just-In-Time) provisioningEnforce SSOTroubleshooting"Email domain is not verified for this organization""IdP did not return a verified email address""OIDC token exchange failed"DNS verification not workingUsers still seeing password login