Skip to main content
Connect your identity provider using guided SSO wizard
This guide walks you through setting up Single Sign-On (SSO) for your organization using your identity provider’s guided wizard.

Prerequisites

Before you begin, ensure you have:
  • Administrator access to your identity provider
  • Organization admin privileges
  • Domain verification completed for your organization
  • SSL certificate configured on your IdP (recommended)

Setup guide

Access SSO configuration

1

Navigate to integrations

  1. Go to Settings > Integrations
  2. Find Single Sign-On in the Organization section
2

Start setup wizard

  1. Click Setup or Add SSO Provider
  2. The SSO setup wizard will open with guided configuration
  3. Select your identity provider from available options (Azure AD, Google Workspace, Okta, custom SAML/OIDC)

Configure identity provider

1

Follow configuration guide

Follow the step-by-step instructions specific to your chosen identity provider to configure your IdP with required settings
2

Configure connection details

Enter the required information from your identity provider setup:
  • Entity ID: Your organization’s unique identifier in the IdP
  • Client ID: The application ID registered in your IdP
  • Client Secret: The secret key used to authenticate with the IdP
Note the callback URL provided for configuring in your IdP settings
3

Create connection

Save the configuration to create the SSO connection (this creates the connection but doesn’t yet link it to your organization)

Configure domain settings

1

Review default managed domain

Your organization’s email domain is automatically included as a managed domain for SSO (requires no additional verification)
2

Add additional domains (optional)

  1. Click Add Domain if you need additional email domains
  2. Additional domains require domain ownership verification
  3. Add the provided TXT record to your domain’s DNS settings
3

Domain realm discovery

Domain realm discovery is automatically enforced for all managed domains
Users with email addresses from managed domains will be automatically redirected to your SSO provider and cannot use username/password authentication. Maintain at least one admin account with an email from a non-managed domain as backup.

SSO enforcement

After enabling SSO, you have control over which authentication methods your users can access.

Automatic SSO redirect for new users

When a new user enters an email address with a domain matching your SSO configuration, they are automatically redirected to authenticate through your identity provider instead of receiving an email invitation.This ensures that all users from your managed domains authenticate through your corporate identity provider from their first login.
By default, users can still authenticate through email/password or Google sign-in even after SSO is enabled. Organization admins can explicitly disable these alternative authentication methods to enforce SSO-only access.
1

Navigate to SSO settings

Go to Settings > Integrations > Single Sign-On
2

Locate SSO enforcement section

Find the Enforce SSO-Only Authentication section (only visible after SSO is enabled)
3

Disable other methods

Click Disable Other Methods to remove email/password and Google sign-in options
4

Confirm enforcement

After disabling, the status will update to show SSO Enforced
Users will only be able to authenticate through your identity provider after other methods are disabled. This provides complete control over authentication in your organization.
If you need to restore email/password and Google sign-in options, you can do so by detaching your SSO connection. This automatically re-enables the default authentication methods.
Detaching SSO will remove your identity provider integration and restore standard authentication methods. Users will need to set up passwords if they haven’t already.
Backup admin access: Maintain at least one organization admin account that uses an email domain not configured for SSO. This ensures you can access your organization if your SSO provider becomes unavailable.

Test and complete setup

1

Test SSO configuration

  1. Use the built-in test functionality to verify your SSO configuration
  2. Review test results to ensure authentication is working properly
  3. Resolve any issues shown in the test results
2

Complete setup

  1. Click Complete Setup after testing is successful
  2. Verify your SSO identity provider appears as connected in Organization Integrations
  3. Inform team members about SSO activation and login instructions

Troubleshooting

Cause: Incorrect certificate or signature validation issuesSolution:
  • Verify certificates and keys are correctly configured
  • Ensure proper formatting of authentication credentials
  • Check that the IdP is using the correct signing configuration
Cause: Incorrect attribute mapping configurationSolution:
  • Verify attribute names match those sent by your IdP
  • Check authentication response in browser developer tools
  • Ensure all required attributes are being sent by the IdP
Cause: User’s email domain is not added to SSO configurationSolution:
  • Add the user’s email domain to the configured domains list
  • Ensure domain verification is completed
Cause: Configuration mismatch or network connectivity issuesSolution:
  • Double-check all configuration values in both systems
  • Verify callback URLs are accessible and correct
  • Check IdP logs for specific error messages
  • Test network connectivity between systems

Features

Once connected, you can manage SSO configuration:

User management

Manage SSO users, handle provisioning, and set permissions

Monitoring & maintenance

Monitor authentication activity and maintain configuration

Advanced troubleshooting

Diagnose and resolve authentication issues