Authentication

Orvanta provides flexible authentication options to ensure secure access to the platform. Users can authenticate through Single Sign-On (SSO) with a restricted domain or with a simple e-mail if added manually by superadmins.

Restricted domain authentication

Orvanta supports authentication through SSO for users with email addresses from a restricted domain. This allows organizations to control access to Orvanta based on their domain policy. Users with email addresses from the authorized domain can authenticate seamlessly using their SSO credentials.

To enable restricted domain authentication, an administrator can configure the authorized domain in the OAuth configuration by setting allowed_domains to the desired domains (e.g: orvanta.cloud to accept only Google/Microsoft logins with an orvanta.cloud address). Once configured, users with email addresses from the authorized domain will be able to log in using their SSO provider.

Manually add users to an Orvanta instance

As a superadmin of the instance, you have the ability to manually add users to the Orvanta instance. This is useful for inviting users who do not have SSO credentials or for providing access to individuals outside the restricted domain.

To manually add users:

1. Log in to the Orvanta instance as a superadmin.
2. Click on your username and pick Instance settings.
3. Fill:
   • Email: The email address of the user.
   • Password: A password for the user’s account.
   • Name (Optional): The name of the user.
   • Company (Optional): The company or organization the user belongs to.
4. “Add user to instance”.

If SMTP is configured, an email will be sent to the user with their account details and instructions for accessing Orvanta.

By default, users are not invited to any workspace, unless auto-invite has been set-up.

Adding users to a workspace

Once added to an instance, users can create their own workspace. However, by default they will not be invited to any workspace.

Orvanta can be configured to remove the ability for non-superadmins to create workspaces using the CREATE_WORKSPACE_REQUIRE_SUPERADMIN env variable.

Manually

From the Workspace settings, in the Users & Invites tab, any admin can manually add users, filling:

• email: the email address linked to the Orvanta account.
• user: the username (specific to workspace).

Users can be given roles Operator, Developer or Admin. Any user can also be manually removed.

The user will be added to the workspace even if no Orvanta account is created yet. Once access is created to an Orvanta account, the workspace will be available from the “Select a workspace” menu.

You can also choose to invite users instead of adding them directly. You only need to fill in the users’ email and they will have to pick the username.

If SMTP is configured, the invite will be sent even if no Orvanta account is created yet. Once access is created to an Orvanta account, an invite will be available from the “Select a workspace” menu.

Auto-add

You can automatically add new users to the workspace as members, with no invite step required.

From the Workspace settings, in the Users & Invites tab, enable “Auto-add new users”. New users on the instance are inserted directly as workspace members the next time they log in.

You can also choose whether auto-added users join as operators or developers.

Domain-based auto-add (only adding users whose email matches a specific domain) is only available on Orvanta Cloud, where the instance is multi-tenant. On self-hosted instances, all new users are auto-added regardless of email domain.

Note

Auto-add only grants workspace membership — it does not grant access to any scripts, flows, apps, or resources. Orvanta is zero-trust by default: members start with no permissions on existing folders. To give them access, assign permissions on the relevant folders, typically by adding the user to a group that already has those permissions. Group membership can be automated with SCIM.

Password reset

When SMTP is configured on the instance, users who authenticate with email/password can reset their password from the login page.

A “Forgot password?” link appears below the password field on the login page. The user enters their email address and receives a reset link valid for 1 hour. After clicking the link, they can set a new password. For security, the reset page always shows a success message regardless of whether the email exists, to prevent email enumeration.

Password reset is only available for users with password login type (not SSO users) and requires SMTP to be configured on the instance.

Login domain normalization

The LOGIN_DOMAIN environment variable can be set on the server to normalize emails during external login. When set, if an external login provides a username without an @ domain, Orvanta automatically appends @{LOGIN_DOMAIN} to form a complete email address. All emails are also lowercased for consistency.

This is useful when integrating with identity providers that may send usernames instead of full email addresses.

SCIM/SAML

Orvanta supports SCIM and SAML for user provisioning and authentication. When SCIM is configured, groups from your identity provider are automatically synchronized as instance groups, eliminating the need for manual group management.