Single Sign-On (SSO)
Single Sign-On lets your team log in to Omnivoo using your company's existing identity provider -- the same system they use for email, Slack, and other workplace tools. Instead of managing separate OTP logins, your team authenticates once through your IdP and gains access to Omnivoo automatically.
Why Use SSO
- Centralized access control - Manage who can access Omnivoo from your identity provider. When someone leaves the company, disabling their IdP account revokes Omnivoo access immediately.
- Fewer login steps - No OTP codes to wait for. Your team clicks one button and they are in.
- Stronger security - Leverage your IdP's security policies (MFA, conditional access, device trust) for Omnivoo logins.
- Compliance - Meet enterprise security requirements that mandate centralized authentication.
Supported Protocols
Omnivoo supports two industry-standard SSO protocols:
| Protocol | Best For | How It Works |
|---|---|---|
| SAML 2.0 | Enterprises with Okta, Azure AD, or PingIdentity | XML-based assertion exchange between your IdP and Omnivoo |
| OIDC (OpenID Connect) | Organizations using Google Workspace or modern IdPs | Token-based authentication built on OAuth 2.0 |
Both protocols provide the same end-user experience. Choose whichever your identity provider supports or your IT team prefers.
How SSO Works with Omnivoo
- A user goes to app.omnivoo.com and enters their company email.
- Omnivoo detects that the email domain has SSO configured.
- The user clicks Continue with SSO and is redirected to your company's identity provider.
- The user authenticates with their company credentials (and any MFA your IdP requires).
- The IdP sends a signed assertion back to Omnivoo confirming the user's identity.
- Omnivoo logs the user in automatically.
SSO is tied to your company's verified email domain. Users with an email address on that domain see the SSO option. For the end-user walkthrough, see Logging In with SSO.
Where Admins Set Up SSO
SSO is configured by a company admin, not on the login page. Open the avatar menu > Company Settings, find the Single Sign-On card, and click Configure SSO (this opens /employer/settings/sso). From there you verify your domain, add a SAML or OIDC connection, optionally enable SCIM provisioning, and set the authentication policy. The full step-by-step guide lives at Setting Up SSO.
Compatible Identity Providers
Omnivoo works with any SAML 2.0 or OIDC-compliant identity provider. Commonly used providers include:
- Okta
- Microsoft Azure AD / Entra ID
- Google Workspace
- OneLogin
- PingIdentity
If your provider is not listed here but supports SAML 2.0 or OIDC, it will work with Omnivoo.
Authentication Policies
When you enable SSO, you choose an authentication policy that controls how your team can log in:
In Company Settings, the policy is labelled exactly as shown below:
| Policy | Email OTP / Google | What members see |
|---|---|---|
| Any method (password or SSO) | Available | The normal login screen, with Continue with SSO offered as an extra option |
| SSO preferred (password allowed as fallback) | Available | Same as Any method -- the email/OTP form is shown, with SSO offered alongside it |
| SSO required (no password login) | Blocked | An SSO-only login card; email OTP and Google are not accepted |
What Happens When SSO Is Required
When you set the policy to SSO required:
- Email OTP and Google sign-in are blocked for all company members, including the company owner.
- Members who try to log in with OTP will see a message directing them to use SSO.
- Only authentication through your configured identity provider is accepted.
There is no email-OTP break-glass for SSO required. Every member must sign in through your identity provider. Configure and test your SSO connection thoroughly before switching the policy to SSO required, otherwise members with no SSO-enabled email domain can be locked out.
What's Next?
- Setting Up SSO - Step-by-step configuration guide for admins
- SCIM Provisioning - Automate user provisioning from your IdP
- Logging In with SSO - End-user guide for signing in with SSO