LiveStatus

Single Sign-On (SSO)

Connect Okta, Google Workspace, Azure AD, or any SAML 2.0 / OIDC Identity Provider.

SSO is available on the Business plan. Teammates sign in with the same credentials they use for the rest of your stack, and LiveStatus auto-provisions their user on first login with a default role you choose.

What you get

  • SAML 2.0 and OIDC support
  • Default-role provisioning (viewer, editor, admin) for new sign-ins
  • Audit log entries for every connection change
  • One connection per organization

Setup (overview)

  1. Go to Dashboard → SSO.
  2. Copy the ACS URL and Metadata URL shown at the top of the page.
  3. Create a new app in your Identity Provider and paste those values in.
  4. Download the IdP metadata XML (for SAML) or grab the OIDC discovery URL + client credentials.
  5. Paste them back into the LiveStatus SSO form and click Save connection.
  6. Click Test SSO to verify the round trip in a new tab.

Okta (SAML)

  1. In the Okta admin console, go to Applications → Create App Integration → SAML 2.0.
  2. Name it LiveStatus.
  3. For Single sign-on URL, paste the ACS URL from the LiveStatus SSO page.
  4. For Audience URI, paste the Metadata URL.
  5. In Attribute Statements, add:
    • emailuser.email
    • firstNameuser.firstName
    • lastNameuser.lastName
  6. Finish the wizard, then open the Sign On tab of the new app and download the Identity Provider metadata XML.
  7. Paste that XML into the LiveStatus form and save.

Google Workspace (SAML)

  1. In the Google Admin console, go to Apps → Web and mobile apps → Add custom SAML app.
  2. Name it LiveStatus.
  3. Download the Metadata file from step 2 of the wizard.
  4. For ACS URL, paste the ACS URL from LiveStatus.
  5. For Entity ID, paste the Metadata URL from LiveStatus.
  6. Set Name ID format to EMAIL and Name ID to Basic Information → Primary email.
  7. Under attribute mapping, map First name, Last name, and Primary email to firstName, lastName, and email.
  8. Turn the app On for everyone (or a specific OU).
  9. Paste the downloaded metadata XML into LiveStatus and save.

Generic OIDC

  1. In your IdP, create a new OIDC application.
  2. Set the redirect URI to https://YOUR-LIVESTATUS-DOMAIN/api/auth/sso/callback.
  3. Grab the discovery URL (https://your-idp/.well-known/openid-configuration), the client ID, and the client secret.
  4. In LiveStatus, pick OIDC as the provider, paste all three, pick a default role, and save.

Verify

Click Test SSO on the LiveStatus SSO page. A new tab opens, your IdP prompts for consent, and you land back on /dashboard/pages signed in as the IdP user. If the sign-in fails, check the server logs for entries starting with [sso] — they tell you which hop of the flow rejected the request.

Disabling SSO

Click Disable SSO on the SSO page. Existing sessions stay valid until they expire; from that moment, teammates fall back to password sign-in.

Previous
API reference
Next
Importing from Statuspage or Instatus