Axis Authentication and SSO

Overview

Axis supports interactive sign-in plus SSO provider configuration through tenant-scoped APIs.

Only OWNER and ADMIN members can create or update SSO provider settings.

Endpoint Assumptions

• Production auth and API host: https://axis.velikey.com (signin: https://axis.velikey.com/auth/signin).
• Non-production override: set AXIS_BASE_URL explicitly before running docs commands.
• Manual operator substitutions: provide tenant-scoped values for cookies, bearer tokens, agent IDs, and tenant slugs.

Actionable Steps

1. Verify owner/admin role assignment for the operator account.
2. Create one SSO provider, then test group mappings and exclusions.
3. Validate sign-in with a non-admin user before broad rollout.

# manual-only example
# production default; set AXIS_BASE_URL explicitly for staging/test.
export AXIS_BASE_URL="${AXIS_BASE_URL:-https://axis.velikey.com}"
export SESSION_COOKIE="axis-session=REDACTED"

curl -fsS -H "Cookie: $SESSION_COOKIE" "$AXIS_BASE_URL/api/sso/providers" | jq
curl -fsS -H "Cookie: $SESSION_COOKIE" "$AXIS_BASE_URL/api/sso/group-mappings" | jq
curl -fsS -H "Cookie: $SESSION_COOKIE" "$AXIS_BASE_URL/api/sso/exclusions" | jq

Validation Checks (Last Step)

# executable example
command -v curl
command -v jq
openssl version

SSO metadata exchange and callback verification rely on correct TLS behavior.

Common Failure Modes

• Attempting provider creation from MEMBER role returns `403 Insufficient permissions`.
• Provider IDs from one organization reused in another organization fail authorization checks.
• Missing exclusion rules causes lockout of service accounts that should bypass SSO.

Navigate Docs

Docs Index • Previous: Axis Overview • Next: Axis Agent Management • Troubleshooting