Single Sign-On (SSO)
Configure enterprise SSO for your organization using OIDC or SAML providers
Single Sign-On (SSO)
Single sign-on allows your organization members to authenticate using your corporate identity provider. Users sign in once with their company credentials and gain access to Securtea without managing separate passwords.
Benefits of SSO
For Users
- One password - Use existing corporate credentials
- Faster access - Skip separate login screens
- Familiar experience - Same authentication as other work apps
For Administrators
- Centralized control - Manage access from your identity provider
- Improved security - Enforce corporate authentication policies
- Automatic provisioning - New users are created automatically
- Easy offboarding - Disable IdP access to revoke Securtea access
Supported Protocols
Securtea supports two industry-standard authentication protocols:
OpenID Connect (OIDC)
OIDC is a modern authentication protocol built on OAuth 2.0:
- Recommended for: Most organizations
- Best with: Microsoft Entra ID, Okta, Auth0, Google Workspace
- Setup complexity: Low to moderate
- Configure OIDC
SAML 2.0
SAML is an established enterprise authentication standard:
- Recommended for: Organizations with existing SAML infrastructure
- Best with: Traditional enterprise identity providers
- Setup complexity: Moderate
- Configure SAML
If your identity provider supports both protocols, we recommend OIDC for its simpler setup and modern architecture.
Identity Provider Guides
We provide specific guides for popular identity providers:
| Provider | Protocol | Guide |
|---|---|---|
| Microsoft Entra ID | OIDC | Setup Guide |
| Generic OIDC | OIDC | Setup Guide |
| Generic SAML | SAML | Setup Guide |
How SSO Works
Authentication Flow
- User visits Securtea and enters their email address
- Securtea detects SSO based on the email domain
- Redirect to IdP - User is sent to the identity provider
- User authenticates with corporate credentials
- IdP validates the user and returns a token
- Securtea receives the token and creates/updates the user
- User is signed in to their Securtea dashboard
Just-in-Time Provisioning
When a user signs in via SSO for the first time:
- User account created - A Securtea user is created automatically
- Email verified - Provider-verified emails are trusted
- Organization membership - User is added to your organization
- Role assigned - Default role based on IdP attributes or configuration
SSO users don't need to be invited beforehand. Anyone in your identity provider with the matching email domain can sign in.
Prerequisites
Before configuring SSO, ensure you have:
- Securtea Organization - Complete basic onboarding first
- Admin access to your IdP - You'll create an application/integration
- Organization owner or admin role - In Securtea
- Your email domain - The domain to enable SSO for (e.g.,
yourcompany.com)
Configuration Overview
Setting up SSO involves two parts:
1. Identity Provider Configuration
Create an application in your IdP:
- Register Securtea as a trusted application
- Configure the callback URL
- Set up user attribute mappings
- Generate client credentials
2. Securtea Configuration
Enter the IdP details in Securtea:
- Specify your email domain
- Enter the IdP configuration (issuer URL, client ID, etc.)
- Test the connection
- Enable SSO for your organization
Email Domain Restrictions
SSO is configured per email domain:
- Only one SSO configuration per organization
- Users with matching domains are redirected to SSO
- Users with non-matching domains use standard authentication
Example: If SSO is configured for acme.com:
john@acme.com→ Redirected to SSOjane@partner.com→ Standard email/password login
SSO and Existing Users
When you enable SSO for a domain:
- Existing users with matching emails can now use SSO
- Their accounts are linked automatically on first SSO sign-in
- Password login remains available until explicitly disabled
- No data is lost - Everything transfers seamlessly
Role Assignment
SSO users receive roles based on:
- IdP attributes - If your IdP sends job title or department
- Default role - Configured fallback role
- Admin override - Manually assigned by organization admins
| IdP Signal | Assigned Role |
|---|---|
| IT, Security, Admin in title | Organization Admin |
| Manager, Director in title | Organization Member |
| Other or no signal | SSO User (read-only) |
Admins can adjust individual user roles after provisioning from Settings > Organization > Members.
Limitations
Current SSO implementation has these constraints:
- One SSO provider - Only one OIDC or SAML provider per organization
- Single domain - One email domain per SSO configuration
- No IdP-initiated login - Users must start from Securtea
Troubleshooting
Common Issues
- Redirect loop - Check callback URL configuration
- Invalid token - Verify client credentials
- User not created - Check email domain matching
- Wrong organization - Ensure domain maps to correct org
Detailed troubleshooting is available in each protocol-specific guide.
Removing SSO
To disable SSO and revert to standard authentication:
- Go to Settings > Organization > SSO
- Click Remove Configuration
- Confirm the action
Users who only have SSO accounts will need to set a password before they can sign in again.
What's Next?
Choose your SSO configuration:
- Microsoft Entra ID (OIDC) - Recommended for Microsoft environments
- Generic OIDC Provider - Okta, Auth0, Google, and others
- Generic SAML Provider - Enterprise SAML integrations