Skip to content
Rime Docs

Authentication

Rime supports four authentication methods. SSO via SAML 2.0 or OIDC is the primary path for enterprise customers. Google OAuth and email/password are available as secondary options for smaller teams or initial setup.

Authentication is configured at the tenant level. Navigate to Settings > Authentication to manage your authentication methods.

SSO via SAML 2.0

SAML 2.0 single sign-on allows your users to authenticate through your existing identity provider (Azure AD, Okta, OneLogin, PingFederate, or any SAML 2.0-compliant IdP). Users sign in once through the IdP and are redirected to Rime with an authenticated session.

Configuring SAML 2.0

  1. Navigate to Settings > Authentication > SSO
  2. Select SAML 2.0 as the SSO protocol
  3. Note the SP metadata values that you will need to configure in your IdP:
    • Entity IDhttps://{tenant}.rimedata.io/saml/metadata
    • ACS URL (Assertion Consumer Service) — https://{tenant}.rimedata.io/api/auth/saml/callback
    • SP metadata URLhttps://{tenant}.rimedata.io/api/auth/saml/metadata (some IdPs can import this directly)
  4. Configure your IdP with the SP metadata values above and obtain:
    • IdP Entity ID — the identifier for your IdP (provided by your IdP)
    • IdP SSO URL — the URL where Rime sends authentication requests
    • IdP Certificate — the X.509 certificate used to verify SAML responses
  5. Enter these values in the Rime configuration form
  6. Select Save

Attribute mapping

Rime expects the following attributes in the SAML assertion:

Rime attributeCommon IdP attribute namesRequired
Emailemail, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressYes
First namefirstName, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameYes
Last namelastName, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameYes

If your IdP uses different attribute names, configure the mapping in Settings > Authentication > SSO > Attribute Mapping. Enter the exact attribute name as it appears in your IdP’s SAML assertion for each required field.

Testing SAML

After saving the configuration, select Test Connection. Rime will:

  1. Generate an AuthnRequest and redirect you to your IdP
  2. After you authenticate at the IdP, the IdP posts a SAML Response back to Rime
  3. Rime validates the response signature, extracts the attributes, and shows the result

If the test fails, the error message will indicate whether the issue is with the IdP URL, certificate, or attribute mapping.

SSO via OIDC

OpenID Connect (OIDC) is an alternative to SAML for IdPs that support it. Many modern IdPs (Azure AD, Okta, Auth0, Keycloak) support both protocols.

Configuring OIDC

  1. Navigate to Settings > Authentication > SSO
  2. Select OIDC as the SSO protocol
  3. Note the Callback URL that you will need to register in your IdP: https://{tenant}.rimedata.io/api/auth/oidc/callback
  4. Register Rime as a client application in your IdP. You will need to provide:
    • The callback URL above
    • Requested scopes: openid, email, profile
  5. Obtain from your IdP:
    • Discovery URL — the OpenID Connect discovery endpoint (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration)
    • Client ID — the application/client identifier assigned by your IdP
    • Client Secret — the client secret generated by your IdP
  6. Enter these values in the Rime configuration form
  7. Select Save

OIDC scopes

Rime requests these scopes by default:

ScopePurpose
openidRequired for OIDC. Returns a subject identifier
emailReturns the user’s email address
profileReturns first name and last name

If your IdP requires additional scopes, you can add them in the Additional Scopes field (comma-separated).

Testing OIDC

Select Test Connection to initiate an OIDC flow. Rime will redirect you to your IdP’s authorization endpoint. After authentication, Rime exchanges the authorization code for tokens and displays the result, showing which user attributes were received.

Google OAuth

Google OAuth allows users to sign in with their Google account. This is convenient for teams that use Google Workspace but do not have a dedicated IdP.

Enabling Google OAuth

  1. Navigate to Settings > Authentication > Google OAuth
  2. Toggle Enable Google OAuth
  3. Optionally, restrict sign-in to specific email domains. Enter one or more domains (e.g., yourcompany.co.nz). If no domains are specified, any Google account can sign in
  4. Select Save

When domain restriction is enabled, users whose Google account email does not match an allowed domain will see an error after authenticating with Google.

Google OAuth does not require you to create a Google Cloud project or configure OAuth credentials — Rime manages this internally.

Email and password

Email/password authentication is available as a fallback for organisations that do not use SSO or as a method for initial administrator setup before SSO is configured.

Password requirements

Passwords must meet these requirements:

  • Minimum 12 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one digit
  • At least one special character

Passwords are hashed using Argon2id before storage. Rime never stores plaintext passwords. Argon2id is the current recommended algorithm for password hashing, providing resistance against both GPU-based and side-channel attacks.

Password reset

Users can reset their password by selecting Forgot password on the sign-in page. A reset link is emailed to the registered address. The link expires after 1 hour.

Administrators can force a password reset for any user from Settings > Users > [User] > Force Password Reset.

Multi-factor authentication

Rime does not implement its own MFA mechanism. Instead, MFA is handled by your identity provider when using SAML 2.0 or OIDC. If your IdP requires MFA, the MFA challenge is presented during the IdP authentication step before the user is redirected back to Rime.

For Google OAuth, Google’s own MFA settings apply. If a user has 2-Step Verification enabled on their Google account, they will be prompted for it during sign-in.

For email/password authentication, MFA is not currently available. Organisations requiring MFA should use SSO.

Session management

After successful authentication, Rime issues a session token:

  • Token lifetime — sessions expire after 8 hours of inactivity or 24 hours from creation, whichever comes first
  • Refresh — active sessions are refreshed automatically. A user who is actively using Rime will not be logged out at the 8-hour mark
  • Revocation — administrators can revoke a user’s session from Settings > Users > [User] > Revoke Sessions. The user will need to re-authenticate
  • Token storage — session tokens are held in memory on the client side. They are not stored in localStorage or cookies, which reduces exposure to XSS attacks

All session events (creation, refresh, expiry, revocation) are recorded in the audit log.

SSO tier requirement

SSO (both SAML 2.0 and OIDC) requires Business tier or above. Free/Trial and Small Business tiers are limited to Google OAuth and email/password authentication.

If your organisation requires SSO for procurement approval, contact Rime sales to arrange a Business tier trial.

Next steps

  • Review Encryption to understand how credentials are protected
  • Set up Audit Logging to track authentication events
  • Configure roles and masking visibility in Masking Policies
  • Review the Compliance page for regulatory requirements around authentication