SSO
Configure single sign-on (OIDC) for your organization.
Single sign-on (SSO) lets your team log in to Proliferate through an external Identity Provider (IdP) using OpenID Connect (OIDC). Organization admins create a connection to their IdP and restrict which email domains may use it.
Proliferate speaks standard OIDC, so it works with any compliant provider, including Google, Okta, Microsoft Entra ID, Auth0, GitLab, and others. There is no provider-specific behavior; you only need an OIDC application with a Client ID, Client Secret, and Issuer URL.
Key capabilities:
- Any OIDC provider: auto-discovery via the issuer's
/.well-known/openid-configuration, or explicit endpoints. - Email-domain gating: restrict sign-in to one or more verified email domains.
- Test before enable: validate the full login flow before exposing SSO to your team.
Connections created from this screen only let existing members sign in with SSO; they don't create new accounts automatically. Invite someone to the organization first (see Members & groups), then they can sign in with SSO once it's enabled. Automatic account creation on first SSO login (JIT provisioning) is only configurable for self-hosted, deployment-level SSO; see Deployment-level SSO.
Prerequisites
- Organization admin access to your Proliferate organization.
- An OIDC Identity Provider. Create an OIDC application with your IdP and obtain the Client ID, Client Secret, and Issuer URL. See the provider guides below.
- The Redirect URI from your Proliferate SSO settings (you copy this into the IdP; see Redirect URI).
Set up single sign-on
Open your organization settings and go to Single sign-on. Configuration order doesn't matter, but the typical flow is:
Step 1. Create the OIDC application with your IdP
Follow the guide for your provider:
Google Cloud OAuth 2.0 client.
Okta
Okta OIDC web app integration.
Microsoft Entra ID
Azure / Entra app registration.
Auth0
Auth0 Regular Web Application.
GitLab
GitLab application (SaaS or self-hosted).
When the IdP asks for a redirect / callback URL, paste the Redirect URI shown in the Proliferate Single sign-on form (use the copy button next to it). See Redirect URI.
Step 2. Fill in the connection
Single sign-on settings
Organization settings, Single sign-on: connection status badge, the display name, allowed domains, and OIDC connection fields, the redirect URI with a copy button, and Test/Enable/Disable/Delete/Save buttons.
In the Single sign-on settings, complete:
| Field | What to enter |
|---|---|
| Display name | A label for this connection (e.g. Acme SSO). |
| Allowed domains | Comma-separated email domains permitted to sign in, e.g. company.com,partner.com. Leave blank to allow any verified email. |
| OIDC issuer URL | Your provider's issuer, e.g. https://idp.example.com. Endpoints are auto-discovered from <issuer>/.well-known/openid-configuration. |
| OIDC client ID | The application's client ID from your IdP. |
| OIDC client secret | The application's client secret. (When editing later, leave blank to keep the saved secret.) |
| OIDC scopes | Defaults to openid email profile. Add more if you need extra claims. |
| Token auth method | Client secret basic (default), Client secret post, or None; match what your IdP expects. |
Save the connection. It starts in Draft status.
Step 3. Test, then enable
- Click Test. The authentication flow with your IdP opens in a new window. A successful test marks the connection Tested.
- Once the test succeeds, click Enable to make SSO available to your organization.
Always Test before you Enable. A misconfigured connection that is enabled can block your team from signing in.
Redirect URI
Proliferate exposes a single OIDC callback path:
The full Redirect URI is shown (with a copy button) in the Single sign-on form, derived from your deployment's base URL:
- Cloud:
https://app.proliferate.com/auth/sso/oidc/callback - Local development:
http://127.0.0.1:8025/auth/sso/oidc/callback
Always copy the exact value shown in the form and register it verbatim with your IdP. Most providers reject a login if the redirect URI doesn't match character-for-character.
Microsoft Entra ID rejects http://127.0.0.1 for a Web redirect (it
allows only https:// or http://localhost). For local testing with Entra,
register http://localhost:8025/auth/sso/oidc/callback and reach Proliferate
via localhost so the redirect matches. See the
Entra guide.
Access control
Allowed domains
After your IdP returns an identity, Proliferate requires a verified email
(email claim with email_verified true). If Allowed domains is set, the
email's domain must match one of them (case-insensitive); otherwise sign-in is
rejected. An empty list allows any verified email.
Provisioning (JIT)
A connection has a provisioning policy that controls what happens on first SSO login. Proliferate supports three policies underneath: Disabled (the user must already be a member; unknown users are rejected), Existing user (same requirement), and Create member (a new user and membership are created automatically on first login).
The Single sign-on settings screen doesn't currently expose a way to change this. Connections created there are always Disabled: invite someone to the organization first, then they can sign in with SSO. Create member provisioning is only available today through deployment-level, self-hosted SSO (environment variables); see Deployment-level SSO.
Log in with SSO
After SSO is enabled, members sign in through your IdP from the Proliferate login screen using their organization email. The email domain must match one of the connection's allowed domains.
Manage a connection
From the Single sign-on settings, an organization admin can:
- Test: re-run the login flow at any time.
- Disable: stop SSO from being used to sign in. Existing sessions are not affected.
- Enable: re-activate a disabled connection.
- Delete: remove the connection entirely.
Connection status is shown as Draft (saved but never enabled), Enabled, or Disabled.
Deployment-level SSO (self-hosting)
Self-hosted deployments can configure SSO with environment variables instead of the admin UI. The variables mirror the fields above:
Provisioning is controlled by PROLIFERATE_SSO_JIT_POLICY
(disabled | existing_user | create_member) and PROLIFERATE_SSO_DEFAULT_ROLE.
The callback base URL comes from API_BASE_URL. See
Authentication: SSO setup
for the full deployment reference.
Troubleshooting
The redirect URI is invalid.
The Redirect URI registered with your IdP must exactly match the one shown in
the Proliferate Single sign-on form, e.g.
https://app.proliferate.com/auth/sso/oidc/callback.
No such host / discovery failed.
Check the Issuer URL. You can verify it by opening
<issuer>/.well-known/openid-configuration in your browser; it should return
JSON.
Email domain is not allowed. The signing-in user's email domain isn't in Allowed domains, or the email isn't verified at the IdP. Add the domain, or sign in with a matching account.
SSO user is not a team member. Connections created from the Single sign-on settings only sign in existing members. Invite the person to the organization first, then have them sign in with SSO.
Token exchange failed.
The Token auth method likely doesn't match your IdP. Try switching between
Client secret basic and Client secret post.