How sign-in works
Visit app.traversal.com (or your BYOC deployment’s address) and enter your email address. Traversal uses your email domain to match you to your organization and present the available sign-in methods. For SSO users, Traversal identifies your organization’s identity provider and redirects you there automatically. If no organization matches your email, Traversal displays an “Email not found” error.Enter your email
Traversal matches your email to an organization and displays the available sign-in methods.
Authenticate with your provider
Sign in using the method your organization has configured (e.g., enterprise SSO, Google, or email magic link).
Organization access models
Your administrator chooses one of two access models when setting up your organization.Invite-only
New users must receive an email invitation before they can sign in. This is the default for most organizations and provides the tightest access control.- An administrator sends an invite to your email address.
- You receive an email with a sign-in link containing a one-time invite code.
- Click the link and authenticate with your provider to complete sign-in.
- The invite code is consumed on first use and cannot be reused.
Open access (domain-based)
Any user with a matching email domain can sign in without an explicit invite. This is useful for organizations that want frictionless onboarding for all employees.- No invite is required — just sign in with your corporate email.
- Your email domain must match one of the domains your administrator has registered.
Inviting users
Organization administrators can invite new users from the Traversal web app.Send invites
Enter one or more email addresses (comma-separated) and choose a role:
- Member — can run investigations, view results, and use integrations.
- Admin — everything a member can do, plus manage users, integrations, and organization settings.
Inviting an existing user
If the email address you invite belongs to an existing Traversal user in your organization, the system checks their current role:- User already has the role — no action is taken.
- User needs a role upgrade — the new role is granted immediately (e.g., promoting a member to admin).
Enterprise SSO onboarding
Enterprise Single Sign-On (SSO) allows your organization to authenticate users through an existing identity provider (IdP) such as Okta, Microsoft Entra ID, Google Workspace, or any SAML 2.0 / OIDC-compliant provider. This eliminates separate credentials — your team signs in to Traversal with the same accounts they already use.Attribute mapping
Traversal identifies users by their email address. Regardless of which identity provider you use, the NameID (SAML) or sub/email claim (OIDC) must map to the user’s primary email address. This is how Traversal matches authenticated users to their organization and account.| Protocol | Required mapping |
|---|---|
| SAML | NameID → primary email address (format: EmailAddress) |
| OIDC | email scope and claim → primary email address |
If the NameID or email claim does not return the user’s primary email, Traversal cannot match the user to an organization, and sign-in will fail with an “Email not found” error.
SCIM provisioning
Traversal does not currently support SCIM. User provisioning and deprovisioning must be managed manually through Traversal’s invite system or by assigning and unassigning users in your identity provider.Okta (OIDC)
Create an app integration in Okta
Go to Okta Admin Console → Applications → Applications → Create App Integration. Select OIDC - OpenID Connect as the sign-in method and Web Application as the application type.
Assign users and groups
In the Assignments tab, add every user or group that needs access to Traversal. Unassigned users will receive a “User is not assigned to the client application” error and cannot sign in.
Copy credentials
From the application settings, copy the Client ID and Client Secret. Verify that the granted scopes include
openid, email, and profile.Microsoft Entra ID (Azure AD)
Register Traversal in Entra ID
Go to Microsoft Entra admin center → Identity → Applications → App registrations → New registration. Give the application a name (e.g., “Traversal”).
Configure redirect URIs
Under Authentication → Platform configurations, add a Web platform with the redirect URI:
Generate a client secret
Go to Certificates & secrets → Client secrets → New client secret. Copy the secret Value immediately — it is only displayed once.
Enable user assignment
Go to Enterprise Applications → Traversal → Properties and set User assignment required to Yes. Then under Users and groups, assign the users or groups that need access. Users who are not assigned cannot sign in.
SAML 2.0
If your identity provider supports SAML 2.0, you can configure Traversal as a service provider.Gather SAML details from your IdP
Obtain the following from your identity provider:
- SAML Metadata URL or XML
- IdP Issuer URL (also called Entity ID)
- X.509 signing certificate
- Attribute mappings for
email,name, and optionallygroupsorroles
Assign users to the application
In your IdP, assign the users or groups that should have access to Traversal. Users who are not assigned to the SAML application cannot sign in.
OpenID Connect (OIDC) — generic
For any OIDC-compliant identity provider not listed above:Gather OIDC details from your IdP
Obtain the following:
- Issuer URL (e.g.,
https://idp.example.com) — Traversal uses this to auto-discover endpoints via/.well-known/openid-configuration - Client ID and Client Secret
- Scopes (
openid email profile)
Configure the redirect URI
In your IdP, register the following redirect URI for the Traversal application:
Assign users to the application
Ensure all users who need access to Traversal are assigned to the application in your IdP. Unassigned users cannot sign in.
Google Workspace
Add Traversal as a SAML app
Go to Google Admin Console → Apps → Web and mobile apps → Add app → Add custom SAML app. Follow the wizard and download the IdP metadata XML when prompted.
Configure the SAML app
When asked for service provider details, enter the ACS URL and Entity ID provided by the Traversal team. Set the Name ID format to
EMAIL and map the email and name attributes.Enable the app for users
In the SAML app settings, go to User access and set the app to On for everyone — or scope it to specific organizational units. Users in disabled OUs cannot sign in.
Common issues
'Email not found' error
'Email not found' error
Traversal could not match your email to an organization. Either your email domain is not registered with any Traversal organization, or you have not been invited. Contact your administrator or reach out to support@traversal.com.
'An invite is required' error
'An invite is required' error
Your organization uses invite-only access, and you do not have a valid invite. Ask your organization administrator to send you an invitation from the User Management settings page.
'Your invite has expired' error
'Your invite has expired' error
Invite codes expire after a set period. Ask your administrator to resend the invitation — this generates a fresh code and invalidates the old one.
SSO redirect fails or loops
SSO redirect fails or loops
The redirect URI configured in your identity provider does not match the expected value. Verify that the redirect URI is set to exactly:
https://login.traversal.com/login/callbackExtra trailing slashes, http instead of https, or incorrect paths will cause the redirect to fail.I signed in but don't see any data
I signed in but don't see any data
You are authenticated, but your organization’s integrations may not be configured yet. Ask your administrator to connect your observability, code, and communication tools in Settings > Knowledge Base.
Roles and permissions
Traversal uses role-based access control (RBAC). Roles are assigned per organization.| Role | Capabilities |
|---|---|
| Member | Run investigations, view results, interact with Slack, access the knowledge bank |
| Admin | Everything a member can do, plus manage users, configure integrations, and update organization settings |
Security
All authentication flows use industry-standard protocols:- OIDC / OAuth 2.0 with PKCE for browser-based sign-in.
- Short-lived access tokens that refresh automatically in the background.
- HTTPS-only cookies with strict same-site policies.
- CSRF protection on all state-changing requests.