SSO / Single Sign-On

Companies with hundreds of employees cannot manage a separate password per system for each person. With SSO (Single Sign-On), Rela AI users sign in with the same credentials from the corporate directory — the same username and password they use for email, the ERP, or any other company system. If someone leaves the company and their corporate account is deactivated, they automatically lose access to Rela AI as well.

What is it for?

For companies with teams of dozens or hundreds of people, managing separate credentials in each system is a security and administration problem. SSO solves this by centralizing authentication:

• The IT team controls access from the corporate directory (Active Directory, Azure AD, Okta, etc.)
• Users do not need to remember another password
• When an employee leaves the company, losing their corporate account is enough to revoke access to all systems
• Administrators can require two-factor authentication from the corporate directory without additional configuration in Rela AI

How does it work?

SSO uses the SAML 2.0 standard, the most widely supported protocol by corporate directories. The flow is simple: the user types their email in Rela AI, the system detects that their domain has SSO configured, and redirects them to the corporate login portal. If they already have an active session on the company's system, they enter directly without typing a password.

Compatible systems include any provider that supports SAML 2.0:

• Microsoft Azure Active Directory (Azure AD)
• Okta
• Google Workspace
• OneLogin
• ADFS (Active Directory Federation Services)
• PingFederate
• Any Identity Provider (IdP) with SAML 2.0

How to use it?

Prerequisites

• Enterprise plan (SSO is not available on lower plans)
• Administrator access in Rela AI
• Administrator access to the company's Identity Provider (IdP)
• The corporate domain must be verified

Step 1: Verify the corporate domain

Before activating SSO, you must prove you own the domain:

1. Go to Administration > SSO.
2. Click Add domain.
3. Enter the corporate domain (e.g., company.com).
4. The system generates a unique verification code.
5. Add that code as a TXT record in your domain's DNS. The record would look like: _relaai-verify.company.com = [generated code].
6. Click Verify. The system confirms the DNS record.

Step 2: Get the Service Provider data

Once the domain is verified, the system shows Rela AI's Service Provider data that you need to enter in your IdP:

Copy these values — you will need them in the next step.

Step 3: Configure Rela AI in the corporate IdP

In the administration panel of your Identity Provider (Azure AD, Okta, etc.):

1. Create a new SAML application.
2. Enter the Entity ID and ACS URL you obtained in the previous step.
3. Configure the Name ID attribute to be the user's email.
4. (Optional) Configure additional attributes: first name, last name, groups.
5. Download or copy the IdP certificate and the IdP SSO URL.

Step 4: Enter the IdP configuration in Rela AI

1. Return to Administration > SSO in Rela AI.
2. Enter your IdP data:
   • IdP SSO URL (where Rela AI redirects users)
   • IdP Entity ID
   • IdP certificate (to verify SAML responses)
3. Click Save and activate SSO.

Step 5: Test SSO sign-in

Before communicating the change to users:

1. Open an incognito browser window.
2. Go to the Rela AI login page.
3. Enter a corporate email from the configured domain.
4. Verify that the system redirects to the corporate login portal.
5. Authenticate with corporate credentials.
6. Confirm that access to Rela AI works correctly.

Managing users with SSO active

With SSO active, when a user with a corporate domain email tries to access for the first time:

• If they already have an account in Rela AI, it is automatically linked with their corporate credentials
• If they do not have an account, one is automatically created with a basic role (member)

The administrator can map groups from the corporate directory to Rela AI roles — for example: the "Maintenance-Supervisors" group in Azure AD automatically receives the Supervisor role in Rela AI.

Key benefits

• A single password for all corporate systems — no additional passwords for Rela AI
• Deactivating an employee's corporate account revokes their Rela AI access automatically
• The IT team maintains full control of access from the corporate directory
• Compatible with any Identity Provider that supports SAML 2.0
• Automatic provisioning of new users without manual configuration
• Group-to-role mapping for automatic permission management

Common use cases

Scenario 1: Company with corporate Active Directory An industrial company has 300 employees in Azure Active Directory. The IT team configures SSO between Azure AD and Rela AI. The 45 maintenance technicians and supervisors already have accounts in Azure AD — when SSO is activated, they can enter Rela AI with their Windows credentials without creating any additional password. When a technician changes departments or leaves the company, the change in Azure AD is automatically reflected in Rela AI.

Scenario 2: Security policy with two-factor authentication The company has a corporate MFA (multi-factor authentication) policy in Okta. By configuring SSO with Okta, Rela AI automatically inherits that policy — users must approve authentication on their phone each time they sign in. The security team does not need to configure MFA in Rela AI separately; they manage it in Okta for all systems at once.

Scenario 3: Multi-plant company with group-segmented access A company has plants in Mexico, Colombia, and Chile. Their IdP has groups: "Plant-Mexico," "Plant-Colombia," "Plant-Chile." By mapping those groups to roles in Rela AI, personnel from each plant only see the assets and data from their plant. Corporate management personnel belong to all three groups and have full visibility. The group mapping is configured once and automatically applied to all new users.