SSO FAQ

Configure and enforce Single Sign-On for your Cliqer team.

SSO (Single Sign-On) FAQ

SSO lets your team sign in through your own identity provider. It is part of the Enterprise plan and is configured by your team at Dashboard → Team → Security (/dash/team/security). You need the Manage security team permission (owner and admins have it by default).

Which providers are supported?

Self-service SSO uses OpenID Connect (OIDC). Any OIDC provider works - Okta, Microsoft Entra ID (Azure AD), Google Workspace, Auth0, and others all expose an OIDC endpoint.

SAML is available but managed - contact Cliqer and we will set it up for your team. The self-service form only creates OIDC providers.

How do I add a provider?

  1. Go to Team → Security → Single sign-on and click Add provider.
  2. Fill in:
    • Display name - the label shown on the sign-in button.
    • Issuer URL - your provider's OIDC issuer. Cliqer fetches discovery from <issuer>/.well-known/openid-configuration automatically.
    • Client ID and Client secret - from the application you created in your IdP.
    • Identifier claim - which claim maps to the Cliqer account (email, sub, or preferred_username). Default email.
    • Email domain allowlist (optional) - restrict sign-in to specific email domains.
    • Auto-create accounts - provision a Cliqer account on first sign-in.
  3. Save. The provider now appears on the sign-in page.

When you edit a provider, the client secret field can be left blank to keep the stored secret - it is never shown back to you.

What redirect URI do I configure in my IdP?

https://<your-cliqer-host>/sso/<slug>/callback

The slug is generated when you create the provider. The sign-in flow starts at /api/auth/sso/<slug>/start and returns to the callback above.

Can I use more than one provider?

Yes. You can add multiple providers; each shows its own button on the sign-in page. Use the email domain allowlist to scope who each provider accepts.

What does "Require SSO" do?

When you turn on Require SSO, password and passkey sign-in are rejected server-side for your team's members - they must use one of your SSO providers.

  • Enforcement happens at the login endpoints (/api/auth/login and the passkey verify step), not by hiding a form, so it cannot be bypassed by calling the API directly.
  • The team owner is exempt (break-glass): the owner can always sign in with a password so an organization can never lock itself out.

Add and test at least one working provider before turning enforcement on.

What happens to existing accounts?

Members are matched to their SSO identity by the identifier claim (email by default). Existing accounts keep their data and settings. With Auto-create enabled, a first-time SSO user with no matching account gets one provisioned automatically.

How do I turn enforcement off?

Toggle Require SSO off on the same page. Password and passkey sign-in become available again immediately. Your providers stay configured.