Listen to this article. Also available on Spotify. Subscribe to PolyAPI Squawk.
In enterprise applications, identity management for employees, contractors, and partners is critical. Even mid-sized organizations often juggle 100+ enterprise applications, with hundreds or thousands of users accessing different systems daily. This is where Single Sign-On (SSO) becomes essential—ensuring secure, centralized access and robust governance across all operational systems.
As an enterprise-grade platform, PolyAPI aligns with these security and governance standards. SSO is a foundational part of that alignment. However, supporting SSO in PolyAPI presents unique challenges:
- Multi-Tenant Complexity: Our platform serves customers using a wide range of Identity Providers (IDPs)—too many to list on a single login page.
- Extensibility: PolyAPI itself requires login access, but our customers also build operational applications using Poly, each of which may need to integrate with its own IDP—possibly different from the primary one used by the enterprise.
What’s New in Release 20
With Release 20, we introduced key capabilities to support secure and flexible SSO integration:
- Configurable Identity Providers: You can now link your enterprise IDP to PolyAPI as long as it supports OpenID Connect.
- User Subject IDs: Authentication is tied to a user’s unique subject ID.
- Permission Policies: Define and assign user permissions across environments using policy-based access controls.
- Environment Selection at Login: Users with access to multiple environments can now choose their desired environment context during login, streamlining their experience and reducing context switching post-login.
- Tenant-Specific Login Pages: Each tenant can now configure a custom Canopy login page with redirect support, enabling tailored SSO options specific to their organization for accessing PolyAPI’s Management UI.
With these enhancements, any OpenID-compliant IDP can now be configured as your SSO provider in Poly. This enables seamless login workflows to Canopy, our function-driven UI client. Developer workflows still rely on API keys, which will remain supported.
What’s Coming Next
We’re continuing to invest in making SSO integration smoother and more powerful. Here’s a preview of what’s ahead:
- Invitations and Self-Service Signup: Today, admins must manually retrieve and configure subject IDs. We’re working on features to invite users and support self-registration so that it would be automatically linked when a user signs up.
- Environment Switching: Soon, users will be able to switch between environments within the UI and maintain active sessions across multiple workspaces.
- Policy-Aligned API Keys: API keys are now more tightly integrated with permission policies—rather than existing independently, keys are treated as instantiations of those policies. When a user’s access is revoked or a policy is updated, any associated keys automatically reflect those changes and lose validity if required.
Get Started with SSO
If you’re a customer looking to configure SSO, check out our documentation or reach out to our team—we’re happy to help walk you through the setup. Have questions about our roadmap or platform? We’d love to hear from you! Reach out to us at hello@polyapi.io, fill out a contact form, or book an intro meeting.