Certus logoCERTUSBY OCTAVE-X
Pilot
Docs / Enterprise setup

Enterprise setup guide

Configure SSO, deploy to your environment, and verify your security posture.

Deployment options

Certus Cloud

Fully managed SaaS at www.getcertus.cloud. Zero infrastructure to maintain. Data residency in US or EU.

Best for: Teams wanting fastest time-to-value

Self-hosted

Deploy the Certus platform in your own VPC. Docker image + Helm chart provided. Connect to your own database and KMS.

Best for: Regulated industries requiring full data control

Hybrid

CLI runs locally in your CI. Scan results sync to Certus Cloud for dashboard visibility. Source code never leaves your environment.

Best for: Most enterprise customers — security + convenience

SSO configuration

Certus supports SAML 2.0 and OIDC enterprise connections via Auth0.

Prerequisites
  • Auth0 tenant with enterprise connections enabled
  • SAML 2.0 or OIDC identity provider configured at your organization
  • Admin access to the Certus dashboard for your organization
  • DNS access if using custom domain (optional)
1Provide IdP metadata

Share your SAML metadata URL or OIDC issuer URL, client ID, and client secret with your Certus account manager. We configure the connection in Auth0.

2Configure ACS URL

Set the Assertion Consumer Service URL in your IdP to: https://www.getcertus.cloud/api/auth/callback. This is the Auth0 callback endpoint.

3Test connection

Your account manager will enable the connection for your organization. Test by signing in with your corporate email at /login. The domain router directs you to your IdP automatically.

4Enforce SSO

Once verified, we can enforce SSO for your domain — all users with matching email domains must authenticate through your IdP. Password-based login is disabled for those accounts.

Environment variables

AUTH0_DOMAINrequired

Auth0 tenant domain (e.g. dev-xxxxx.us.auth0.com)

dev-xxxxx.us.auth0.com
AUTH0_CLIENT_IDrequired

Auth0 application client ID

vika6Gry0...
AUTH0_CLIENT_SECRETrequired

Auth0 application client secret

(from Auth0 dashboard)
AUTH0_SECRETrequired

Session encryption key (min 32 chars)

openssl rand -hex 32
AUTH0_BASE_URLoptional

Canonical app URL for callbacks

https://www.getcertus.cloud
APP_BASE_URLoptional

Fallback base URL

https://www.getcertus.cloud

Go-live security checklist

Verify these items before enabling production access for your organization.

SSO connection verified with test userIdentity
Social login connections disabled for your applicationIdentity
Multi-factor authentication enforced in your IdPIdentity
API keys generated and distributed to CI/CD pipelinesAccess
Org membership restricted to verified corporate email domainsAccess
Audit log reviewed for unexpected access patternsMonitoring
Evidence pack exports tested with your compliance toolingCompliance
Responsible disclosure contact established with security teamOperations
Back to docsSecurity modelAPI reference