[{"data":1,"prerenderedAt":961},["ShallowReactive",2],{"navigation":3,"/docs/features/sso":156,"/docs/features/sso-surround":956},[4,23,83,103,118,133,141],{"title":5,"path":6,"stem":7,"children":8,"icon":22},"Getting Started","/docs/getting-started","docs/1.getting-started/1.index",[9,12,17],{"title":10,"path":6,"stem":7,"icon":11},"What is TaskView","i-lucide-house",{"title":13,"path":14,"stem":15,"icon":16},"Installation","/docs/getting-started/installation","docs/1.getting-started/2.installation","i-lucide-download",{"title":18,"path":19,"stem":20,"icon":21},"Quick Start","/docs/getting-started/usage","docs/1.getting-started/3.usage","i-lucide-rocket",false,{"title":24,"icon":22,"path":25,"stem":26,"children":27,"page":22},"Features","/docs/features","docs/2.features",[28,33,38,43,48,53,58,63,68,73,78],{"title":29,"path":30,"stem":31,"icon":32},"Projects and Lists","/docs/features/projects-and-lists","docs/2.features/1.projects-and-lists","i-lucide-folder",{"title":34,"path":35,"stem":36,"icon":37},"Organizations","/docs/features/organizations","docs/2.features/10.organizations","i-lucide-building-2",{"title":39,"path":40,"stem":41,"icon":42},"SSO (Single Sign-On)","/docs/features/sso","docs/2.features/11.sso","i-lucide-shield-check",{"title":44,"path":45,"stem":46,"icon":47},"Tasks","/docs/features/tasks","docs/2.features/2.tasks","i-lucide-check-square",{"title":49,"path":50,"stem":51,"icon":52},"Kanban Board","/docs/features/kanban","docs/2.features/3.kanban","i-lucide-columns-3",{"title":54,"path":55,"stem":56,"icon":57},"Dependency Graph","/docs/features/graph","docs/2.features/4.graph","i-lucide-git-branch",{"title":59,"path":60,"stem":61,"icon":62},"Dashboard","/docs/features/dashboard","docs/2.features/5.dashboard","i-lucide-layout-dashboard",{"title":64,"path":65,"stem":66,"icon":67},"Notifications","/docs/features/notifications","docs/2.features/6.notifications","i-lucide-bell",{"title":69,"path":70,"stem":71,"icon":72},"Webhooks","/docs/features/webhooks","docs/2.features/7.webhooks","i-lucide-webhook",{"title":74,"path":75,"stem":76,"icon":77},"API Tokens","/docs/features/api-tokens","docs/2.features/8.api-tokens","i-lucide-key-round",{"title":79,"path":80,"stem":81,"icon":82},"Sessions & Devices","/docs/features/sessions","docs/2.features/9.sessions","i-lucide-monitor-smartphone",{"title":84,"icon":22,"path":85,"stem":86,"children":87,"page":22},"Integrations","/docs/integrations","docs/3.integrations",[88,93,98],{"title":89,"path":90,"stem":91,"icon":92},"GitHub & GitLab Setup","/docs/integrations/setup","docs/3.integrations/1.setup","i-lucide-git-pull-request",{"title":94,"path":95,"stem":96,"icon":97},"MCP Server","/docs/integrations/mcp","docs/3.integrations/2.mcp","i-lucide-bot",{"title":99,"path":100,"stem":101,"icon":102},"Telegram & Slack Setup","/docs/integrations/messaging","docs/3.integrations/3.messaging","i-lucide-send",{"title":104,"icon":22,"path":105,"stem":106,"children":107,"page":22},"Configuration","/docs/configuration","docs/4.configuration",[108,113],{"title":109,"path":110,"stem":111,"icon":112},"Environment Variables","/docs/configuration/environment-variables","docs/4.configuration/1.environment-variables","i-lucide-settings",{"title":114,"path":115,"stem":116,"icon":117},"Authentication","/docs/configuration/authentication","docs/4.configuration/2.authentication","i-lucide-lock",{"title":119,"icon":22,"path":120,"stem":121,"children":122,"page":22},"Collaboration","/docs/collaboration","docs/5.collaboration",[123,128],{"title":124,"path":125,"stem":126,"icon":127},"Team Members","/docs/collaboration/members","docs/5.collaboration/1.members","i-lucide-users",{"title":129,"path":130,"stem":131,"icon":132},"Roles and Permissions","/docs/collaboration/roles-and-permissions","docs/5.collaboration/2.roles-and-permissions","i-lucide-shield",{"title":134,"path":135,"stem":136,"children":137,"icon":22},"FAQ","/docs/faq","docs/6.faq/1.index",[138],{"title":139,"path":135,"stem":136,"icon":140},"Frequently Asked Questions","i-lucide-circle-help",{"title":142,"icon":22,"path":143,"stem":144,"children":145,"page":22},"Guides","/docs/guides","docs/7.guides",[146,151],{"title":147,"path":148,"stem":149,"icon":150},"Deploy TaskView on a VPS with Nginx","/docs/guides/deploy-vps-nginx","docs/7.guides/1.deploy-vps-nginx","i-lucide-server",{"title":152,"path":153,"stem":154,"icon":155},"TaskView for Freelancers","/docs/guides/taskview-for-freelancers","docs/7.guides/2.taskview-for-freelancers","i-lucide-briefcase",{"id":157,"title":39,"body":158,"description":950,"extension":951,"meta":952,"navigation":953,"path":40,"seo":954,"stem":41,"__hash__":955},"docs/docs/2.features/11.sso.md",{"type":159,"value":160,"toc":931},"minimark",[161,174,179,206,209,213,228,232,237,308,313,320,323,344,347,351,358,363,397,400,409,414,417,483,504,510,513,517,577,580,598,605,609,621,631,635,638,653,656,669,673,684,687,691,695,749,753,829,833,877,881,887,893,899,905,915,921,927],[162,163,164,165,169,170,173],"p",{},"SSO lets your organization's members sign in to TaskView using your corporate identity provider (IdP). Supported protocols: ",[166,167,168],"strong",{},"SAML 2.0"," and ",[166,171,172],{},"OpenID Connect (OIDC)",".",[175,176,178],"h2",{"id":177},"how-it-works","How it works",[180,181,182,186,194,197,200,203],"ol",{},[183,184,185],"li",{},"User enters their email on the TaskView login page (SSO tab)",[183,187,188,189,193],{},"TaskView looks up the email domain (e.g. ",[190,191,192],"code",{},"company.com",") and finds the matching SSO config",[183,195,196],{},"User gets redirected to your IdP (Okta, Azure AD, etc.)",[183,198,199],{},"User authenticates at the IdP",[183,201,202],{},"IdP redirects back to TaskView with identity proof",[183,204,205],{},"TaskView creates an account (if new) and logs the user in",[162,207,208],{},"Users who sign in via SSO are automatically added to the organization that owns the SSO config.",[175,210,212],{"id":211},"setting-up-sso","Setting up SSO",[162,214,215,216,219,220,223,224,227],{},"Go to your organization's settings → ",[166,217,218],{},"SSO"," tab. You need the ",[166,221,222],{},"admin"," or ",[166,225,226],{},"owner"," role.",[229,230,168],"h3",{"id":231},"saml-20",[162,233,234],{},[166,235,236],{},"Required fields:",[238,239,240,253],"table",{},[241,242,243],"thead",{},[244,245,246,250],"tr",{},[247,248,249],"th",{},"Field",[247,251,252],{},"Description",[254,255,256,265,276,284,292,300],"tbody",{},[244,257,258,262],{},[259,260,261],"td",{},"Provider name",[259,263,264],{},"Display name shown in the UI (e.g. \"Okta\", \"Azure AD\")",[244,266,267,270],{},[259,268,269],{},"Email domain",[259,271,272,273,275],{},"The domain used for routing (e.g. ",[190,274,192],{},"). One domain = one SSO config",[244,277,278,281],{},[259,279,280],{},"IdP SSO URL",[259,282,283],{},"Your IdP's SAML endpoint where login requests are sent",[244,285,286,289],{},[259,287,288],{},"SP Entity ID",[259,290,291],{},"TaskView's identifier. Can be any string, must match what you configure in your IdP",[244,293,294,297],{},[259,295,296],{},"IdP Certificate",[259,298,299],{},"Your IdP's public signing certificate (base64, without BEGIN/END headers)",[244,301,302,305],{},[259,303,304],{},"ACS URL (Callback)",[259,306,307],{},"The URL where your IdP sends SAML responses. Shown after creating the config - copy it to your IdP",[162,309,310],{},[166,311,312],{},"Using Metadata URL (recommended):",[162,314,315,316,319],{},"Instead of filling fields manually, paste your IdP's metadata URL and click ",[166,317,318],{},"Sync",". This auto-fills the IdP SSO URL, Certificate, and Logout URL from the metadata XML.",[162,321,322],{},"Example metadata URLs:",[324,325,326,332,338],"ul",{},[183,327,328,329],{},"Okta: ",[190,330,331],{},"https://your-org.okta.com/app/xxx/sso/saml/metadata",[183,333,334,335],{},"Azure AD: ",[190,336,337],{},"https://login.microsoftonline.com/{tenant}/federationmetadata/2007-06/federationmetadata.xml",[183,339,340,341],{},"Keycloak: ",[190,342,343],{},"http://your-keycloak/realms/{realm}/protocol/saml/descriptor",[162,345,346],{},"SP Entity ID is not filled from metadata - you set it yourself. It must match between TaskView and your IdP.",[229,348,350],{"id":349},"saml-signature-requirements","SAML signature requirements",[162,352,353,354,357],{},"TaskView ",[166,355,356],{},"requires"," that your IdP signs SAML Assertions. Without a valid signature, authentication will be rejected.",[162,359,360],{},[166,361,362],{},"IdP configuration:",[238,364,365,375],{},[241,366,367],{},[244,368,369,372],{},[247,370,371],{},"Setting",[247,373,374],{},"Required value",[254,376,377,388],{},[244,378,379,382],{},[259,380,381],{},"Sign assertions",[259,383,384,387],{},[166,385,386],{},"ON"," (required)",[244,389,390,393],{},[259,391,392],{},"Sign documents (response)",[259,394,395,387],{},[166,396,386],{},[162,398,399],{},"TaskView validates the assertion signature. The document (response) signature provides additional transport-level integrity. Both should be enabled for maximum security.",[401,402,403],"blockquote",{},[162,404,405,408],{},[166,406,407],{},"Note:"," If you encounter \"Invalid signature\" errors with both signatures enabled, verify that your IdP certificate is correct. Re-sync from metadata URL if needed.",[162,410,411],{},[166,412,413],{},"Request signing (enterprise, optional):",[162,415,416],{},"For environments that require signed AuthnRequests, you can provide an SP signing key pair. Generate it with:",[418,419,424],"pre",{"className":420,"code":421,"language":422,"meta":423,"style":423},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","openssl req -x509 -newkey rsa:2048 -keyout sp-key.pem -out sp-cert.pem -days 3650 -nodes -subj \"/CN=taskview\"\n","bash","",[190,425,426],{"__ignoreMap":423},[427,428,431,435,439,442,445,448,451,454,457,460,463,467,470,473,477,480],"span",{"class":429,"line":430},"line",1,[427,432,434],{"class":433},"sBMFI","openssl",[427,436,438],{"class":437},"sfazB"," req",[427,440,441],{"class":437}," -x509",[427,443,444],{"class":437}," -newkey",[427,446,447],{"class":437}," rsa:2048",[427,449,450],{"class":437}," -keyout",[427,452,453],{"class":437}," sp-key.pem",[427,455,456],{"class":437}," -out",[427,458,459],{"class":437}," sp-cert.pem",[427,461,462],{"class":437}," -days",[427,464,466],{"class":465},"sbssI"," 3650",[427,468,469],{"class":437}," -nodes",[427,471,472],{"class":437}," -subj",[427,474,476],{"class":475},"sMK4o"," \"",[427,478,479],{"class":437},"/CN=taskview",[427,481,482],{"class":475},"\"\n",[162,484,485,486,489,490,169,493,496,497,500,501,503],{},"Paste ",[190,487,488],{},"sp-key.pem"," contents into ",[166,491,492],{},"SP Private Key",[190,494,495],{},"sp-cert.pem"," into ",[166,498,499],{},"SP Certificate"," in TaskView. Upload ",[190,502,495],{}," to your IdP so it can verify the signature.",[162,505,506,507,173],{},"When signing keys are provided, TaskView signs AuthnRequests with ",[166,508,509],{},"RSA-SHA256",[229,511,172],{"id":512},"openid-connect-oidc",[162,514,515],{},[166,516,236],{},[238,518,519,527],{},[241,520,521],{},[244,522,523,525],{},[247,524,249],{},[247,526,252],{},[254,528,529,536,545,553,561,569],{},[244,530,531,533],{},[259,532,261],{},[259,534,535],{},"Display name (e.g. \"Google Workspace\", \"Keycloak OIDC\")",[244,537,538,540],{},[259,539,269],{},[259,541,272,542,544],{},[190,543,192],{},")",[244,546,547,550],{},[259,548,549],{},"Issuer URL",[259,551,552],{},"Your IdP's OIDC issuer URL. Used for auto-discovery of endpoints",[244,554,555,558],{},[259,556,557],{},"Client ID",[259,559,560],{},"OAuth client ID from your IdP",[244,562,563,566],{},[259,564,565],{},"Client Secret",[259,567,568],{},"OAuth client secret from your IdP",[244,570,571,574],{},[259,572,573],{},"Callback URL",[259,575,576],{},"The URL where your IdP redirects after authentication. Shown after creating the config",[162,578,579],{},"Example issuer URLs:",[324,581,582,588,593],{},[183,583,584,585],{},"Google: ",[190,586,587],{},"https://accounts.google.com",[183,589,334,590],{},[190,591,592],{},"https://login.microsoftonline.com/{tenant}/v2.0",[183,594,340,595],{},[190,596,597],{},"http://your-keycloak/realms/{realm}",[162,599,600,601,604],{},"TaskView uses ",[166,602,603],{},"PKCE (S256)"," for the authorization code exchange. Your IdP must support the authorization code grant with PKCE.",[175,606,608],{"id":607},"email-domain-routing","Email domain routing",[610,611,614],"callout",{"color":612,"icon":613},"warning","i-lucide-alert-triangle",[162,615,616,617,620],{},"Each SSO config is bound to an ",[166,618,619],{},"email domain",". One domain can only have one SSO config - this is enforced at the database level.",[162,622,623,624,627,628,630],{},"When a user enters ",[190,625,626],{},"alice@company.com"," on the SSO login tab, TaskView checks if domain ",[190,629,192],{}," has a configured SSO provider. If yes - redirect to IdP. If no - show an error.",[175,632,634],{"id":633},"user-provisioning","User provisioning",[162,636,637],{},"When a user authenticates via SSO for the first time:",[180,639,640,643,646],{},[183,641,642],{},"A TaskView account is created automatically (with a random password - they'll only use SSO)",[183,644,645],{},"A personal workspace is created for them",[183,647,648,649,652],{},"They are added to the SSO config's organization with the ",[166,650,651],{},"member"," role",[162,654,655],{},"For existing users (already registered with the same email), SSO login links their account - no new account is created, data is preserved.",[610,657,660,666],{"color":658,"icon":659},"info","i-lucide-info",[162,661,662,665],{},[166,663,664],{},"Removing users from the organization:"," If you remove a user from the organization in TaskView but do not deactivate their account in the identity provider (IdP), the user will be automatically re-added to the organization on their next SSO login. This is standard JIT (Just-In-Time) provisioning behavior — the IdP is the source of truth for access.",[162,667,668],{},"To fully block a user's access, deactivate or delete their account in the IdP. If SCIM provisioning is enabled, deactivating the user via SCIM will remove them from both the IdP and TaskView.",[175,670,672],{"id":671},"replay-attack-protection-saml","Replay attack protection (SAML)",[162,674,675,676,679,680,683],{},"TaskView stores SAML AuthnRequest IDs in a PostgreSQL table (",[190,677,678],{},"saml_request_cache",") and validates the ",[190,681,682],{},"InResponseTo"," field in SAML responses. Each request ID can only be used once. This prevents replay attacks even in multi-instance deployments behind a load balancer.",[162,685,686],{},"Request IDs expire after 5 minutes.",[175,688,690],{"id":689},"api-endpoints","API endpoints",[229,692,694],{"id":693},"public","Public",[238,696,697,709],{},[241,698,699],{},[244,700,701,704,707],{},[247,702,703],{},"Method",[247,705,706],{},"URL",[247,708,252],{},[254,710,711,724,736],{},[244,712,713,716,721],{},[259,714,715],{},"GET",[259,717,718],{},[190,719,720],{},"/module/sso/providers?domain={domain}",[259,722,723],{},"Check if SSO is configured for a domain",[244,725,726,728,733],{},[259,727,715],{},[259,729,730],{},[190,731,732],{},"/module/sso/login/{configId}",[259,734,735],{},"Initiate SSO login (redirects to IdP)",[244,737,738,741,746],{},[259,739,740],{},"GET/POST",[259,742,743],{},[190,744,745],{},"/module/sso/callback/{configId}",[259,747,748],{},"Handle IdP callback",[229,750,752],{"id":751},"admin-requires-authentication-org-admin-role","Admin (requires authentication + org admin role)",[238,754,755,765],{},[241,756,757],{},[244,758,759,761,763],{},[247,760,703],{},[247,762,706],{},[247,764,252],{},[254,766,767,779,791,804,817],{},[244,768,769,771,776],{},[259,770,715],{},[259,772,773],{},[190,774,775],{},"/module/sso/admin/metadata?url={metadataUrl}",[259,777,778],{},"Parse SAML metadata XML from URL",[244,780,781,783,788],{},[259,782,715],{},[259,784,785],{},[190,786,787],{},"/module/sso/admin/configs?organizationId={id}",[259,789,790],{},"List SSO configs for an organization",[244,792,793,796,801],{},[259,794,795],{},"POST",[259,797,798],{},[190,799,800],{},"/module/sso/admin/configs",[259,802,803],{},"Create SSO config",[244,805,806,809,814],{},[259,807,808],{},"PATCH",[259,810,811],{},[190,812,813],{},"/module/sso/admin/configs/{configId}",[259,815,816],{},"Update SSO config",[244,818,819,822,826],{},[259,820,821],{},"DELETE",[259,823,824],{},[190,825,813],{},[259,827,828],{},"Delete SSO config",[175,830,832],{"id":831},"database-tables","Database tables",[238,834,835,845],{},[241,836,837],{},[244,838,839,842],{},[247,840,841],{},"Table",[247,843,844],{},"Purpose",[254,846,847,857,867],{},[244,848,849,854],{},[259,850,851],{},[190,852,853],{},"tv_auth.sso_configs",[259,855,856],{},"SSO provider configurations (SAML/OIDC settings per organization)",[244,858,859,864],{},[259,860,861],{},[190,862,863],{},"tv_auth.sso_identities",[259,865,866],{},"Links between TaskView users and their external SSO identities",[244,868,869,874],{},[259,870,871],{},[190,872,873],{},"tv_auth.saml_request_cache",[259,875,876],{},"SAML request ID cache for replay attack prevention",[175,878,880],{"id":879},"troubleshooting","Troubleshooting",[162,882,883,886],{},[166,884,885],{},"\"SSO not configured\" when entering email"," - No SSO config exists for this email domain. Create one in organization settings.",[162,888,889,892],{},[166,890,891],{},"\"Invalid requester\" (SAML)"," - SP Entity ID in TaskView doesn't match Client ID in your IdP. They must be identical.",[162,894,895,898],{},[166,896,897],{},"\"Invalid signature\" (SAML)"," - IdP Certificate in TaskView is wrong or outdated. Re-sync from metadata URL or copy the certificate from your IdP's metadata XML.",[162,900,901,904],{},[166,902,903],{},"\"Invalid document signature\" (SAML)"," - The document (response) signature validation failed. Verify the IdP certificate is correct and re-sync from metadata URL.",[162,906,907,910,911,914],{},[166,908,909],{},"\"Failed to initiate SSO login\" (OIDC)"," - Issuer URL is wrong, or the IdP is unreachable. Verify the URL by opening ",[190,912,913],{},"{issuer}/.well-known/openid-configuration"," in a browser.",[162,916,917,920],{},[166,918,919],{},"\"Invalid parameter: redirect_uri\" (OIDC)"," - Callback URL in TaskView doesn't match \"Valid redirect URIs\" in your IdP. Copy the callback URL from TaskView's SSO settings and add it to your IdP.",[162,922,923,926],{},[166,924,925],{},"User logged in as wrong person"," - The IdP has an active session for another user. This is normal SSO behavior - the IdP controls sessions, not TaskView. Use a different browser or incognito window to test with a different user.",[928,929,930],"style",{},"html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":423,"searchDepth":932,"depth":932,"links":933},2,[934,935,941,942,943,944,948,949],{"id":177,"depth":932,"text":178},{"id":211,"depth":932,"text":212,"children":936},[937,939,940],{"id":231,"depth":938,"text":168},3,{"id":349,"depth":938,"text":350},{"id":512,"depth":938,"text":172},{"id":607,"depth":932,"text":608},{"id":633,"depth":932,"text":634},{"id":671,"depth":932,"text":672},{"id":689,"depth":932,"text":690,"children":945},[946,947],{"id":693,"depth":938,"text":694},{"id":751,"depth":938,"text":752},{"id":831,"depth":932,"text":832},{"id":879,"depth":932,"text":880},"Configure SAML 2.0 or OpenID Connect SSO for your organization. Users authenticate through your corporate identity provider (Okta, Azure AD, Google Workspace, Keycloak) and get automatic access to TaskView.","md",{},{"icon":42},{"title":39,"description":950},"pysKxFgDQdPNPVpqG1Q6LpiL5vficLhMRgzQuddVjV8",[957,959],{"title":34,"path":35,"stem":36,"description":958,"icon":37,"children":-1},"Group projects and team members under organizations in TaskView. Manage access with organization-level roles - owner, admin, and member. Each organization has its own members, projects, and settings.",{"title":44,"path":45,"stem":46,"description":960,"icon":47,"children":-1},"Create and manage tasks in TaskView - subtasks, deadlines, priorities, assignees, tags, rich-text notes, financial tracking, and full change history with restore. Self-hosted task tracking with no limits.",1783289464129]