SSO

Configure single sign-on (OIDC) for your organization.

Single sign-on (SSO) lets your team log in to Proliferate through an external Identity Provider (IdP) using OpenID Connect (OIDC). Organization admins create a connection to their IdP and restrict which email domains may use it.

Proliferate speaks standard OIDC, so it works with any compliant provider, including Google, Okta, Microsoft Entra ID, Auth0, GitLab, and others. There is no provider-specific behavior; you only need an OIDC application with a Client ID, Client Secret, and Issuer URL.

Key capabilities:

  • Any OIDC provider: auto-discovery via the issuer's /.well-known/openid-configuration, or explicit endpoints.
  • Email-domain gating: restrict sign-in to one or more verified email domains.
  • Test before enable: validate the full login flow before exposing SSO to your team.
Warning:

Connections created from this screen only let existing members sign in with SSO; they don't create new accounts automatically. Invite someone to the organization first (see Members & groups), then they can sign in with SSO once it's enabled. Automatic account creation on first SSO login (JIT provisioning) is only configurable for self-hosted, deployment-level SSO; see Deployment-level SSO.

Prerequisites

  • Organization admin access to your Proliferate organization.
  • An OIDC Identity Provider. Create an OIDC application with your IdP and obtain the Client ID, Client Secret, and Issuer URL. See the provider guides below.
  • The Redirect URI from your Proliferate SSO settings (you copy this into the IdP; see Redirect URI).

Set up single sign-on

Open your organization settings and go to Single sign-on. Configuration order doesn't matter, but the typical flow is:

Step 1. Create the OIDC application with your IdP

Follow the guide for your provider:

When the IdP asks for a redirect / callback URL, paste the Redirect URI shown in the Proliferate Single sign-on form (use the copy button next to it). See Redirect URI.

Step 2. Fill in the connection

Single sign-on settings

Organization settings, Single sign-on: connection status badge, the display name, allowed domains, and OIDC connection fields, the redirect URI with a copy button, and Test/Enable/Disable/Delete/Save buttons.

In the Single sign-on settings, complete:

FieldWhat to enter
Display nameA label for this connection (e.g. Acme SSO).
Allowed domainsComma-separated email domains permitted to sign in, e.g. company.com,partner.com. Leave blank to allow any verified email.
OIDC issuer URLYour provider's issuer, e.g. https://idp.example.com. Endpoints are auto-discovered from <issuer>/.well-known/openid-configuration.
OIDC client IDThe application's client ID from your IdP.
OIDC client secretThe application's client secret. (When editing later, leave blank to keep the saved secret.)
OIDC scopesDefaults to openid email profile. Add more if you need extra claims.
Token auth methodClient secret basic (default), Client secret post, or None; match what your IdP expects.

Save the connection. It starts in Draft status.

Step 3. Test, then enable

  1. Click Test. The authentication flow with your IdP opens in a new window. A successful test marks the connection Tested.
  2. Once the test succeeds, click Enable to make SSO available to your organization.
Warning:

Always Test before you Enable. A misconfigured connection that is enabled can block your team from signing in.

Redirect URI

Proliferate exposes a single OIDC callback path:

/auth/sso/oidc/callback

The full Redirect URI is shown (with a copy button) in the Single sign-on form, derived from your deployment's base URL:

  • Cloud: https://app.proliferate.com/auth/sso/oidc/callback
  • Local development: http://127.0.0.1:8025/auth/sso/oidc/callback

Always copy the exact value shown in the form and register it verbatim with your IdP. Most providers reject a login if the redirect URI doesn't match character-for-character.

Warning:

Microsoft Entra ID rejects http://127.0.0.1 for a Web redirect (it allows only https:// or http://localhost). For local testing with Entra, register http://localhost:8025/auth/sso/oidc/callback and reach Proliferate via localhost so the redirect matches. See the Entra guide.

Access control

Allowed domains

After your IdP returns an identity, Proliferate requires a verified email (email claim with email_verified true). If Allowed domains is set, the email's domain must match one of them (case-insensitive); otherwise sign-in is rejected. An empty list allows any verified email.

Provisioning (JIT)

A connection has a provisioning policy that controls what happens on first SSO login. Proliferate supports three policies underneath: Disabled (the user must already be a member; unknown users are rejected), Existing user (same requirement), and Create member (a new user and membership are created automatically on first login).

Info:

The Single sign-on settings screen doesn't currently expose a way to change this. Connections created there are always Disabled: invite someone to the organization first, then they can sign in with SSO. Create member provisioning is only available today through deployment-level, self-hosted SSO (environment variables); see Deployment-level SSO.

Log in with SSO

After SSO is enabled, members sign in through your IdP from the Proliferate login screen using their organization email. The email domain must match one of the connection's allowed domains.

Manage a connection

From the Single sign-on settings, an organization admin can:

  • Test: re-run the login flow at any time.
  • Disable: stop SSO from being used to sign in. Existing sessions are not affected.
  • Enable: re-activate a disabled connection.
  • Delete: remove the connection entirely.

Connection status is shown as Draft (saved but never enabled), Enabled, or Disabled.

Deployment-level SSO (self-hosting)

Self-hosted deployments can configure SSO with environment variables instead of the admin UI. The variables mirror the fields above:

PROLIFERATE_SSO_ENABLED=true
PROLIFERATE_SSO_PROTOCOL=oidc
PROLIFERATE_SSO_DISPLAY_NAME="Company SSO"
PROLIFERATE_SSO_ALLOWED_DOMAINS="company.com"
PROLIFERATE_SSO_OIDC_ISSUER_URL="https://idp.example.com"
PROLIFERATE_SSO_OIDC_CLIENT_ID="..."
PROLIFERATE_SSO_OIDC_CLIENT_SECRET="..."
PROLIFERATE_SSO_OIDC_SCOPES="openid,email,profile"
PROLIFERATE_SSO_OIDC_TOKEN_ENDPOINT_AUTH_METHOD="client_secret_basic"

Provisioning is controlled by PROLIFERATE_SSO_JIT_POLICY (disabled | existing_user | create_member) and PROLIFERATE_SSO_DEFAULT_ROLE. The callback base URL comes from API_BASE_URL. See Authentication: SSO setup for the full deployment reference.

Troubleshooting

The redirect URI is invalid. The Redirect URI registered with your IdP must exactly match the one shown in the Proliferate Single sign-on form, e.g. https://app.proliferate.com/auth/sso/oidc/callback.

No such host / discovery failed. Check the Issuer URL. You can verify it by opening <issuer>/.well-known/openid-configuration in your browser; it should return JSON.

Email domain is not allowed. The signing-in user's email domain isn't in Allowed domains, or the email isn't verified at the IdP. Add the domain, or sign in with a matching account.

SSO user is not a team member. Connections created from the Single sign-on settings only sign in existing members. Invite the person to the organization first, then have them sign in with SSO.

Token exchange failed. The Token auth method likely doesn't match your IdP. Try switching between Client secret basic and Client secret post.

On this page