Enterprise Auth and Sessions
Hunch includes enterprise identity controls for teams that need SSO, provisioning, and stricter login policy.
SSO connection types
Hunch supports:
- OIDC
- SAML
For each connection you can configure:
- display name
- slug
- allowed email domains
- default workspace role for auto-provisioned users
- whether password login remains allowed
- whether users are auto-provisioned
OIDC
OIDC connections support the standard identity endpoints:
- issuer
- client ID
- client secret
- authorization endpoint
- token endpoint
- userinfo endpoint
- JWKS URI
- scopes
SAML
SAML connections support:
- service provider metadata
- identity provider entity ID
- SSO URL
- optional SLO URL
- IdP signing certificate
Discovery-based sign-in routing
The login flow can discover the correct enterprise connection based on the email address the user enters, then route the user into the matching OIDC or SAML flow.
Session policy
Workspace owners can define stricter session policy, including:
- require SSO
- allow or block password login
- enforce a single active session
- require MFA for admin users
- access-token TTL
- idle timeout
- refresh-token TTL
- allowed email domains
- IP allowlist enforcement
Active sessions
The settings area exposes active login sessions so operators can:
- inspect recent sessions
- revoke a single session
- revoke all other sessions
SCIM provisioning
Hunch supports SCIM token issuance and user provisioning endpoints so identity providers can:
- list users
- create users
- update users
- deactivate users
SCIM tokens are created and revoked from Settings. Token values are only shown when first created, so copy them immediately.
Base path:
https://api.hunchbank.com/auth/scim/v2
Recommendations
- Use domain-restricted discovery so the correct SSO path is selected automatically.
- Keep password login disabled when your identity provider is the source of truth.
- Pair SSO with SCIM if you want cleaner deprovisioning.
- Review active sessions regularly for privileged operators.
See also: