SSO introduction
Single Sign-On (SSO) allows you to use a 3rd party service to manage the authentication for the Sign In App management portal. Some of the common platforms that are used to manage SSO are Google, Azure, and Okta. Sign In App SSO uses Open ID connect (OIDC) protocol, SAML is not supported.
Important: SSO is a feature exclusive to the Sign In App Pro plan and can only be set up by customers on this plan.
If you would like to upgrade to the Pro plan please email [email protected]
Sign In App SSO is designed for managing portal admins only. You are not able to manage Companion app users with SSO - you can read more about other ways of managing Companion app users here.
Please Note: If you are a legacy customer who has SSO included, you can still make use of this feature but self-service won't be available on your plan. Please email [email protected] to upgrade your account, or [email protected] for further information about setting up SSO on your account.
Self-Service Configuration
Our self-service feature allows Pro-tier customers to manage Single Sign-On (SSO) in their account. To activate self-service for SSO, we need to enable this on your account. Please email [email protected] with this request.
Once done, the Primary User can then proceed with the below configuration steps in the admin portal.
Part 1: Configure Your Identity Provider
Step 1: Access SSO Configuration
A Primary User must log into their Sign In App account.
Navigate to Manage > Portal Users.
Locate the option to create a new SSO configuration.
Step 2: Select Your Identity Provider
Choose one of the three supported providers. The required fields vary slightly for each:
Identity Provider | Required Fields |
Entra ID (formerly Azure) | Client ID, Client Secret, Tenant ID |
Client ID, Client Secret, Domain | |
Okta | Client ID, Client Secret, Provider Domain |
Step 3: Complete Configuration Fields
Complete the Domain Name field (the email detail after the @).
Click on your chosen identity provider.
Fill in all required fields for the selected provider.
Click Save to create the identity provider configuration.
Please Note:
- Only one domain is supported per SSO configuration. It is however, possible to have multiple 'Domain Aliases' if they are all managed by the same identity provider. In this instance please provide the additional domain names to us at [email protected]
- We do not support multiple ID providers simultaneously, it it only a single provider that covers multiple domain names
Important Configuration Notes:
Partial saves are not possible—all information must be provided completely.
Once saved, the configuration becomes read-only.
Configuration details cannot be viewed after saving.
You can reconfigure/update credentials if they change or the client secret expires.
Your SSO will initially show as ‘incomplete configuration’ until domain verification is complete.
Part 2: Domain Verification
Step 4: Verify Domain Ownership
Return to Manage > Portal Users.
Your identity provider connection will be flagged as incomplete.
Click into the configuration to view the domain verification status.
Step 5: Add DNS Record
Note the domain listed (e.g. yourcompany.com) showing as ‘not verified’
Copy the TXT record provided in the instructions.
Add this TXT record to your domain's DNS settings.
Wait for DNS propagation (typically 5–15 minutes).
Step 6: Complete Verification
Return to the SSO configuration page.
Click the Verify button.
If successful, your domain will show as verified, and your SSO configuration will become active.
Post-Configuration Login
Once configuration is complete, sign out of your account and sign back in using the link https://my.signinapp.com/. The system will recognise the domain from your email address and offer the option to select your SSO login.
Once you’ve been set up as an SSO admin, you can manage SSO from the Sign In App portal, go to Manage and then scroll down to the bottom and click Portal users. From there click the button below the Single sign on users section (there will be a logo for the SSO platform you’re using e.g. Google, Azure, or Okta).
SSO users
This section allows you to view the SSO users on your account, you can click the user to manage their individual permissions. Read more about managing users here.
Pending approval
When a user requests to have access to your Sign In App account using SSO they will appear in this list, allowing you to manage all new users from one location.
Settings
You can manage the default permissions that an SSO portal user will get when they’ve been approved.
Managing Existing Users & Access
Moving Existing Portal Users to SSO
For an existing portal user to be redirected to the SSO sign-in, an admin must first delete their existing portal user account.
Important: Before deleting the existing portal user account, please ensure that a 'Primary user' is still active so that you continue to have local authentication access should the SSO fail or expire.
If you would like your primary user to access via SSO, an alternative email using a different domain should be added and promoted to primary user.
To delete a user go to Manage > Manage Account > Portal Users, select the user to delete, select delete in the pop up and save to confirm. Once the account is deleted, the user can log in via SSO and request access, which an admin can then assign.
We would also recommend setting the SSO admin as a Billing User so that they are able to access the subscription details within the account. To do this go to Manage > Manage Account > Portal Users, > select the SSO tab > select Users > select a name to edit > in the pop up tick the box next to Billing User and save.
User Access Requests
If you have configured access permissions within your SSO platform, users without access will be denied. If default permissions are not set up, the user will need to select the account(s) they want to access by clicking Request access.
How SSO Login Works
User enters their email address on the login page.
If they have a local account, they will see a password prompt.
The user can choose to use local credentials or SSO.
Existing SSO configurations will continue to redirect to SSO as before.
Important: Sign In App Single Sign On is triggered by email domain. This means if your organisation has multiple Sign In App accounts SSO must be used across all of the accounts and the SSO administrators must have full access across all accounts. SSO users can be restricted to single Sign In App accounts.
This also means if you have portal users with different email domains to the one SSO has been set up on they will need to continue using Email/Password to log in.
Setting up SSO for a user
When a user needs access to your Sign In App account using SSO they can visit my.signinapp.com and enter their email address. The system will pick up the domain (what’s after the @) and give them the option to select their SSO login. If this is the first time they’re logging in with SSO, they will be prompted to select the email address they’re trying to log in with.
Within your SSO platform, if you have configured which users should have access to Sign In App, then users without access will be denied when selecting their user. If you don’t have default permissions set up the user will need to select which account(s) they’re looking to gain access to by clicking Request access.
Following this, they’re added to the Pending approval list in the SSO admin section of the Sign In App portal. SSO administrators can then configure their permissions and approve or deny the request.
With default permissions enabled this step is skipped and the user gains access automatically. SSO administrators will also be sent an email notification to let them know a user has requested access.
Managing SSO users
Managing default permissions allows you to set the base permissions that all users within your organisation should have. You can also manage individual users giving you granular control over which users have access to each section of the Sign In App portal.
Default permissions
Default permissions mean that any user in your organisation that tries to access your Sign In App account with a valid email address (one on your domain) will automatically have access to the account(s) with the default permissions enabled.
Depending on your SSO provider, you should be able to set which users will have access to Sign In App - this gives you control over access to Sign In App from within your organisation. When these users go to log in they will be configured with the default permission level.
Important: Some SSO providers may not allow you to manage which users have access to Sign In App. If that is the case, you might choose to disable default permissions so all users with your organisation’s domain don’t have access to the Sign In App portal.
Individual permissions
Some users may need higher or lower permission levels than the default permissions, in this case you’re able to edit each user separately. Click SSO users from the SSO admin section of the portal to see a list of all SSO users configured on your account. Clicking a user will show you their permissions, if you have default permissions enabled then this will be toggled on here. To edit the users permissions you need to toggle Use default permissions off, once you’ve done this you can edit the user’s account and site access, and permission level.
SSO Administrators
As an SSO administrator you’re able to manage user permissions and approve new users. If you want to make another SSO user an SSO administrator, edit the user and toggle Allow this user to manage SSO users ON.
Need Help?
If you need configuration for identity providers not listed, or if you encounter issues during setup, please contact our support team at [email protected] or [email protected]