Skip to main content
This quickstart walks through the shortest path to a working sign-on: add a person, group them, connect an application, grant access, protect it with a policy, and verify the experience. Each step links to a deeper guide when you want more detail.
You need administrator access to your Iru tenant to follow these steps. If you manage admins separately, see Administrators & roles.

Before you begin

1

Decide where your people come from

You can add users by hand, import them from a file, or sync them from a connected HR system. For this quickstart, adding one user by hand is enough. To bring in your whole organization later, see Importing users and Directory Sync.
2

Have your application's sign-on details ready

Most applications support either SAML or OIDC for single sign-on. Have the app’s documentation handy, or use a ready-made application template so the fields are filled in for you.

Set up your first sign-on

Add a user

In Directory → Users, create a user with a name and email address. Use an address the person can actually receive mail at, so they can complete their invitation. The user’s profile holds the attributes that policies and apps can use later. Learn more in Users.

Create a group

In Directory → Groups, create a group and add your user to it. Assigning access to groups instead of individuals keeps things manageable as you grow. See Groups.

Connect an application

In Apps, add an application. Choose a template from the catalog when one exists, or configure a custom SAML or OIDC app. Iru gives you the sign-on details to enter in your app, and you enter the details your app provides back into Iru. See Add an application.

Assign access

Assign the group you created to the application. Everyone in the group now has access; from then on you manage who can reach the app by changing the group’s membership. See Assigning access.

Protect it with a policy

In Policies → Authentication policies, create a policy and attach it to your app to control device trust - for example, requiring a managed, encrypted device for a sensitive app. A passkey or Iru Access is already required for every sign-in, so you do not configure that here. See Authentication policies.

Test the experience

Sign in as your test user and open the app dashboard. Your application appears as a tile; selecting it signs the user straight in. See End-user experience.
To exercise device trust and the full sign-in experience, install Iru Access on your test device and register it - see Authenticators.

What you just built

You now have a person who belongs to a group, a group that is granted an application, and a policy that governs how they sign in. Adding more people or apps is a matter of repeating the parts you need.

Next steps

Bring in everyone

Import your full user list or sync it from your HR system so the directory stays current on its own.

Connect your identity provider

Let people sign in with Google Workspace, Microsoft Entra ID, or another provider you already run.

Automate app accounts

Provision and deprovision accounts in your apps automatically as access changes.

Tune your policies

Add risk and device trust conditions so access adapts to context.