RootCX
Pricing
Blog
Docs
RootCX/RootCX
BlogHow to Add SSO to Your AI-Coded Internal App
ssointernal-toolssecuritytutorial

How to Add SSO to Your AI-Coded Internal App

Your internal app needs SSO before it ships. Here is how to add OIDC single sign-on with Okta, Microsoft Entra, Google Workspace, or Auth0 in under 10 minutes.

Sandro Munda
Sandro Munda
April 7, 2026

You built an internal app with Claude Code or Cursor. It works. The logic is solid. Your team wants to use it.

Then someone asks: "How do our people log in?"

This is where most AI-coded apps stall. The code is done, but there is no authentication. No way for your team to sign in with their company credentials. No way to enforce who sees what. The app sits on a branch, waiting for "the auth work" that nobody wants to do.

It does not have to be this way.

Why SSO is not optional for internal tools

If your team uses Okta, Microsoft Entra, Google Workspace, or Auth0, they already have an identity provider. Every internal app should authenticate against it. No separate passwords. No shared login. No "just use the admin account."

Here is why this matters more than it looks:

Compliance. Most security frameworks (SOC 2, ISO 27001, HIPAA) require centralized identity management. If your internal tools have separate passwords, you fail the audit.

Offboarding. When someone leaves the company, you disable their identity provider account. If your internal app has its own login, that person still has access until someone remembers to delete them manually.

Trust. The moment you show an enterprise client or a compliance officer that your internal tools authenticate through their existing SSO, the conversation changes. You are no longer a "side project." You are production software.

The problem is that adding SSO from scratch is weeks of work. You need to understand OIDC flows, handle token refresh, manage sessions, deal with edge cases like account linking. Most teams either skip it or pay $X,000 per year to an auth provider, then spend another week wiring it up.

Some platforms gate SSO behind expensive enterprise tiers. Retool, for example, locks SSO and advanced permissions behind their $50/user/month Business plan. For a 30-person team, that is $18,000 a year just to let your people log in with their company credentials.

How SSO works on RootCX

On RootCX, SSO is included on every plan, including the free tier. No upgrade required. No separate auth provider to pay for.

RootCX Core supports any OIDC-compliant identity provider out of the box. Okta, Microsoft Entra (Azure AD), Google Workspace, Auth0, or any provider that speaks OIDC. You configure it once, and every app and every AI agent on your project inherits the same authentication.

Here is how to set it up.

Step 1: Get your OIDC credentials

Go to your identity provider and create a new OIDC application. You will need three things:

  • Issuer URL: the OIDC discovery endpoint (e.g. https://your-org.okta.com, https://login.microsoftonline.com/{tenant}/v2.0, https://accounts.google.com)
  • Client ID: the OAuth 2.0 client identifier
  • Client Secret: the OAuth 2.0 client secret

Set the redirect URI to https://your-rootcx-url/api/v1/auth/oidc/callback.

Step 2: Register the provider in RootCX

Option A: use environment variables for automatic provisioning. Set these before starting your Core:

ROOTCX_OIDC_ISSUER=https://your-org.okta.com
ROOTCX_OIDC_CLIENT_ID=your-client-id
ROOTCX_OIDC_CLIENT_SECRET=your-client-secret
ROOTCX_PUBLIC_URL=https://your-rootcx-url

RootCX picks these up on startup and creates the provider automatically. The client secret is stored in the encrypted vault (AES-256).

Option B: register via the API (useful if you manage multiple providers):

curl -X POST https://your-rootcx-url/api/v1/auth/oidc/providers \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "issuerUrl": "https://your-org.okta.com",
    "clientId": "your-client-id",
    "clientSecret": "your-client-secret",
    "autoRegister": true,
    "defaultRole": "member"
  }'

autoRegister: true means new users get an account on first login. defaultRole assigns them a starting role. You can also map roles from your identity provider using the roleClaim field if your provider sends role information in the JWT.

Step 3: Done

That is it. Your team now sees the SSO login button on the RootCX auth screen. They click it, authenticate with their company credentials, and they are in. First-time users get an account automatically. If they previously had a password account with the same email, RootCX links the OIDC identity to the existing account.

Every app on your project inherits this authentication. Every AI agent runs under the same identity layer. You did not write a single line of auth code.

Optional: enforce SSO-only mode

If you want to disable password login entirely (common for enterprise deployments), set:

ROOTCX_DISABLE_PASSWORD_LOGIN=true

Now the only way in is through your identity provider. One place to manage access. One place to revoke it.

What you get after SSO is configured

SSO is the foundation, but it is not the whole picture. Once your team authenticates through OIDC, RootCX layers on:

Role-based access control. Define roles with namespaced permissions, wildcards, and inheritance. "The finance team can view invoices but not edit them. The procurement team can approve purchase orders. The intern can read but not delete." Every app and every agent enforces the same rules.

Immutable audit logs. Every action (human or AI agent) is logged at the database trigger level. Who did what, when, and on which record. This is not application-level logging that can be bypassed. It is structural.

Session management. Server-side sessions in PostgreSQL. JWT access tokens expire in 15 minutes. Refresh tokens last 30 days. You can revoke a session immediately by disabling the user in your identity provider.

AI agents under the same rules. This is the part most platforms miss. On RootCX, an AI agent authenticates and operates under the same RBAC as a human user. If the agent should not see salary data, it cannot see salary data. If it takes an action, that action is logged in the same audit trail as everything else.

The real cost of skipping SSO

Every week your internal app runs without SSO is a week of risk.

A shared password gets forwarded in Slack. An ex-employee still has access three months after leaving. A compliance officer asks for an access log and you have nothing to show. An agency hands off a tool to a client and the client asks "can our team log in with Okta?" and the answer is no.

These are not hypothetical scenarios. They are the reason most AI-coded apps never make it to production. The code is ready. The infrastructure is not.

SSO is the first step from prototype to production. On RootCX, it takes under 10 minutes, it costs nothing, and every app you build after this one inherits it automatically.

Start your project and add SSO today. Free tier, no credit card required.

ssointernal-toolssecuritytutorial
← Back to blog
RootCX

The open-source platform for internal apps and AI agents. Database, auth, permissions, integrations, and deployment included.

Book a demo

Product

  • AI Agents
  • Internal Apps
  • Integrations
  • App Library
  • Infrastructure
  • Security
  • Claude Code

Solutions

  • Builders
  • Agencies

Company

  • Documentation
  • Blog
  • Pricing
  • About

© 2026 RootCX Inc. All rights reserved.

Privacy PolicyTerms of Service
All systems operational