Enterprise SAML and whitelabel login
Enterprise SAML and whitelabel login
Some clubs run on a whitelabel DistantRace deployment — a branded website on a custom domain with enterprise single sign-on (SSO) via SAML (commonly Microsoft Entra ID / Azure AD), or OAuth-based login through DistantRace.
Who this applies to #
- Corporate or federation clubs with whitelabel enabled
- Participants expected to use a work email domain (for SAML)
- Organizations that route login through a branded portal instead of distantrace.com
Standard distantrace.com users use Sign-in options (email, Google, Apple, passkey).
Branded participant portal #
On a whitelabel site you typically:
- Open your club's branded URL (not distantrace.com).
- Browse published challenges and events without logging in.
- Click Sign in when you want to join, sync workouts, or manage your profile.
Sign-in redirects to DistantRace OAuth with your organization's UUID in the authorize URL. Login pages use your club's themed templates (logo, colors, copy) when the club has a non-default domain_theme. After authentication you return to the branded site, already logged in.
DistantRace resolves branding from:
- Session flags set during a themed login on your portal
- Verified embed domain — the host in your portal URL or OAuth
nextlink maps to your club via Embed domains
What the portal shows — leaderboards, team results, competition checkout, workout history — depends on how your club's portal is configured. Event rules and registration still come from the organizer's DistantRace settings.
Organizer-facing overview: Whitelabel and enterprise setup.
SAML / enterprise SSO #
For clubs with SAML configured:
- Open the club's branded URL or a direct event link.
- Click Sign in with work account / organization login (or start from a SAML-aware entry point).
- Enter your work email if prompted — DistantRace routes you to the correct identity provider by email domain (
/saml2/discovery/). - Complete authentication at your company's Microsoft (or configured IdP) portal.
- Return to DistantRace logged in — register for events as usual.
If your domain is not configured, you see an error asking you to contact your IT administrator.
Multiple identity providers #
When several SAML providers exist, the discovery page matches your email domain to the right IdP before redirecting to /saml2/login/?idp=….
If only one IdP is configured, discovery skips the form and sends you straight to login.
Discovery errors #
| Message | Meaning |
|---|---|
| Enter a valid work email | Missing or malformed address |
| We don't have Single Sign-On configured for this domain | Your IT team has not registered that email domain with DistantRace |
Contact your club administrator or IT if your domain should be supported.
Other login methods on whitelabel #
Depending on club configuration, themed login pages may also offer:
| Method | Notes |
|---|---|
| Email login code | One-time code sent to your inbox; uses your club's SendGrid sender when configured |
| Passkey (WebAuthn) | Passwordless login if you registered a passkey on a previous visit |
| OAuth (authorization code) | Default flow for branded web portals — browser redirects through DistantRace and back |
Sport app connections (Garmin, Strava, step sources) open on the canonical DistantRace auth host for OAuth provider redirects. A signed social return token in the URL brings you back to the branded portal with the same theme, even though provider OAuth runs on distantrace.com.
Whitelabel branding #
Whitelabel clubs may show:
- Club logo and colors on login and account pages
- Custom hero images on the public portal
- Branded transactional email (login codes, invitations) via SendGrid
Organizer setup for domains, SAML, and portal hosting is platform-managed — contact DistantRace to enable whitelabel for your organization.
Organizers on whitelabel clubs #
Manager console access still requires Two-factor authentication. SSO or OAuth handles participant login on the branded site; 2FA is a separate security step for /console/ views on distantrace.com.
API access #
Whitelabel organizations can use the REST API with organization-scoped credentials — see Public API overview.