A build-to-order SAML 2.0 Service Provider for Odoo that brings your instance under corporate SSO with Azure AD, Okta, Google Workspace, or OneLogin — including SP- and IdP-initiated login, just-in-time provisioning, and IdP-group-to-Odoo-group mapping. ECOSIRE scopes, builds, installs, and supports it for Odoo 17.0, 18.0, and 19.0. Built to order by ECOSIRE for Odoo 17, 18, 19 — indicative price from $399.00 USD; request a quote for a scoped proposal.

A build-to-order SAML 2.0 Service Provider for Odoo that brings your instance under corporate SSO with Azure AD, Okta, Google Workspace, or OneLogin — including SP- and IdP-initiated login, just-in-time provisioning, and IdP-group-to-Odoo-group mapping. ECOSIRE scopes, builds, installs, and supports it for Odoo 17.0, 18.0, and 19.0.
Şimdi ödeme yok. Bu, ekibimize bir teklif talebi gönderir — fiyat ve sonraki adımlarla e-posta ile dönüş yapacağız.
Once your organization standardizes identity on Azure AD (Entra ID) or Okta, every system that still holds its own username and password becomes an audit finding and a helpdesk ticket. Odoo out of the box authenticates against its own res.users table with local passwords; the built-in auth_signup and OAuth2 paths cover social/Google-style logins but do not speak SAML 2.0, cannot consume a corporate IdP's signed assertions, and give your security team no way to enforce a single sign-on policy, drive Odoo group membership from IdP claims, or terminate the Odoo session when the IdP session ends. That is exactly where a native Odoo SAML Service Provider is required — and it is what we build for you.
SAML 2.0 Service Provider supporting both SP-initiated and IdP-initiated login against a single Assertion Consumer Service (ACS) endpoint
One-click IdP onboarding by pasting a metadata URL or XML — entity ID, SSO/SLO endpoints, and signing certificates are ingested automatically for Azure AD (Entra ID), Okta, Google Workspace, OneLogin, or any conformant SAML 2.0 IdP
Signed AuthnRequest generation with configurable NameID format and requested authentication context
Assertion signature verification plus optional assertion/element decryption, with SP certificate and private key managed from the Odoo UI
Just-in-time user provisioning that creates res.users records on first SAML login from a configurable attribute-to-field mapping
Attribute-to-group mapping that drives Odoo security groups from IdP roles/groups and re-evaluates them on every login
ECOSIRE delivers a clean-room SAML 2.0 Service Provider implemented on the standards-compliant python3-saml toolkit, packaged as a proper Odoo module with its own __manifest__.py, ORM models (models.Model with fields, @api.depends computes), ir.model.access.csv plus record rules, and OWL/XML configuration views. It plugs into Odoo's authentication pipeline so both SP-initiated login (user starts at Odoo, gets redirected to the IdP) and IdP-initiated login (user launches Odoo from their IdP dashboard) work against the same Assertion Consumer Service (ACS) endpoint. You configure each IdP by pasting its metadata URL or XML — Azure AD, Okta, Google Workspace, OneLogin, or any conformant SAML 2.0 provider — and the module ingests entity ID, SSO/SLO endpoints, and signing certificates automatically.
Under the hood the build handles the parts that make SAML safe rather than merely functional: signed AuthnRequest generation, signature verification and optional decryption of returned assertions, audience/recipient validation, clock-skew tolerance, and replay protection so a captured assertion cannot be re-presented. SP certificate and key material are managed from the Odoo UI, and the module exposes downloadable SP metadata plus the ACS and entity-ID endpoints so your IdP admin can register Odoo in minutes. On successful login the configurable attribute mapping drives just-in-time provisioning — new res.users records are created from IdP attributes on first login — and an attribute-to-group map re-evaluates Odoo security groups on every authentication, so a change to a user's IdP role or group takes effect the next time they sign in. Single Logout (SLO), per-IdP email-domain allow-lists, an optional "SSO required" mode that disables local password login for mapped users, configurable login-button branding on the sign-in screen, and per-assertion login audit entries round out the feature set. A guarded local-admin fallback URL ensures your administrators are never locked out if the IdP is unreachable.
Because this is a made-to-order build and not an off-the-shelf download, delivery starts with a short scoping call to confirm your IdP(s), attribute schema, group-mapping rules, provisioning policy, and target Odoo version and edition (Community vs Enterprise, 17.0 / 18.0 / 19.0). We then build and unit-test against your scope, stand it up on a staging instance for UAT with your real IdP metadata, and cut over to production with a documented rollback. Typical delivery is 2–4 weeks from confirmed scope, depending on the number of identity providers and the complexity of your group model.
Pricing starts from $399 (indicative, single-company base scope with one identity provider); additional IdP integrations, multi-company or multi-database SSO topologies, complex attribute-to-group rule sets, and custom provisioning or deprovisioning logic increase the quoted scope. You receive a fixed quote after the scoping call.
Owns Azure AD or Okta and is tasked with bringing every SaaS and on-prem app, including Odoo, under corporate SSO. Needs one-click metadata onboarding, JIT provisioning, and group mapping so joiners/movers/leavers are handled by the IdP rather than by manual res.users edits.
Must eliminate standalone passwords, enforce MFA at the IdP, and produce an auditable login trail. Cares about signed/encrypted assertions, replay and clock-skew protection, 'SSO required' enforcement, Single Logout, and per-assertion audit entries for review.
Responsible for a live Odoo deployment across Community or Enterprise, 17.0–19.0. Needs SSO added without disrupting existing users, a safe admin fallback so nobody is locked out, and a clean, upgrade-friendly module rather than fragile core patches.
Rolls out Odoo for multiple clients and wants a repeatable, documented SAML SSO component with git handover, per-IdP configuration, and multi-company topology support to standardize identity across engagements.
Lisansı ecosire.com adresinden satın alın ve hesap kontrol panelinizden SAML 2.0 Single Sign-On modülünün ZIP dosyasını indirin.
ZIP'i sunucudaki Odoo özel eklentiler klasörünüze çıkarın (veya Uygulamalar > Odoo.sh / runbot'taki dosyadan yükle yoluyla yükleyin).
Geliştirici Modunu etkinleştirin, Uygulamalar'ı açın, Uygulama Listesini Güncelle'ye tıklayın, SAML 2.0 Single Sign-On'i arayın ve Yükle'ye basın.
Yeni menüyü açın, ECOSIRE lisans anahtarınızı yapıştırın, tüm harici kimlik bilgilerini (Shopify, Amazon, Stripe vb.) bağlayın ve kaydedin.
Yerleşik bağlantı testini çalıştırın, ilk 10 kaydınızı senkronize edin ve yinelenen cronu planlayın. Herhangi bir sorun olursa desteğe başvurun.
| Kriter | ECOSIRE | Özel Yapı | Rakip | Odoo Yerlisi |
|---|---|---|---|---|
| SAML 2.0 protocol support | Full SP with SP- and IdP-initiated flows, signed/encrypted assertions | Possible but you build the protocol handling and hardening yourself | Usually basic SP-initiated only; encryption/SLO often absent | |
| IdP onboarding | Paste metadata URL/XML; auto-ingests endpoints and certs | Depends entirely on how you build it | Often manual field-by-field entry | |
| JIT provisioning & group mapping | Auto-create users + IdP-group-to-Odoo-group on every login | Must be designed and coded from scratch | JIT sometimes present; group mapping frequently limited | |
| Assertion security | Audience/recipient checks, clock-skew tolerance, replay protection | Only as thorough as your own implementation | Varies; hardening often incomplete | |
| Admin lockout safety | Guarded local-admin fallback URL + optional 'SSO required' mode | You must design the fallback yourself | Fallback not guaranteed | |
| Fit & maintainability | Scoped to your IdPs; clean module, upgrade-friendly, full source | Fully bespoke but you own all maintenance | Generic; customization needs vendor or forking | |
| Odoo version coverage | Built and tested for 17.0, 18.0, 19.0 (Community/Enterprise) | Whatever you target and maintain | Often lags new Odoo releases | |
| Support & delivery | Scoping, staging UAT, rollback, training, post-go-live support window | Self-supported or separate contractor | Ticket-based vendor support, no tailoring |
Any conformant SAML 2.0 identity provider. We explicitly configure and test Azure AD (Entra ID), Okta, Google Workspace, and OneLogin as part of the standard scope; other IdPs that publish standard SAML metadata work the same way. Onboarding is by pasting the IdP metadata URL or XML — entity ID, SSO/SLO endpoints, and signing certificates are ingested automatically.
This is a build-to-order product, not an instant download. Typical delivery is 2–4 weeks from confirmed scope. The exact timeline depends on the number of identity providers, the complexity of your attribute and group-mapping rules, and any multi-company requirements — all agreed on the scoping call before work begins.
Pricing starts from $399 (indicative, single-company base scope with one identity provider). Additional IdP integrations, multi-company or multi-database topologies, complex group-mapping logic, and custom provisioning rules increase the scope. After a short scoping call we issue a fixed, written quote — you approve that before we start building.
Existing res.users records stay intact. You choose the rollout policy: run SSO alongside local login during transition, restrict it to specific email domains, or enable 'SSO required' mode to disable password login for mapped users once you're confident. A guarded local-admin fallback URL always remains so administrators cannot be locked out if the IdP is unreachable.
Yes. Just-in-time provisioning creates a res.users record on a user's first SAML login from a configurable attribute mapping. Odoo security groups are driven by an attribute-to-group map that re-evaluates on every login, so changing a user's role or group in your IdP updates their Odoo access at their next sign-in — no manual permission edits.
Every build includes a post-go-live support window for defect fixes and configuration help. Because it ships as a self-contained module (its own __manifest__.py, models, and views) rather than core patches, it upgrades cleanly; we also offer paid version-migration and extended support when you move between Odoo 17.0, 18.0, and 19.0.
No. It is a clean-room implementation built on the standard python3-saml toolkit and Odoo's own authentication framework, delivered with full source and git history to you. It is engineered to meet your specific IdP, provisioning, and group-mapping requirements rather than being a generic off-the-shelf download.
A build-to-order SAML 2.0 Service Provider for Odoo that brings your instance under corporate SSO with Azure AD, Okta, Google Workspace, or OneLogin — including SP- and IdP-initiated login, just-in-time provisioning, and IdP-group-to-Odoo-group mapping. ECOSIRE scopes, builds, installs, and supports it for Odoo 17.0, 18.0, and 19.0.