Skip to main content

Single Sign-On (SSO)

Single Sign-On lets your team log in to Omnivoo using your company's existing identity provider -- the same system they use for email, Slack, and other workplace tools. Instead of managing separate OTP logins, your team authenticates once through your IdP and gains access to Omnivoo automatically.

Why Use SSO

  • Centralized access control - Manage who can access Omnivoo from your identity provider. When someone leaves the company, disabling their IdP account revokes Omnivoo access immediately.
  • Fewer login steps - No OTP codes to wait for. Your team clicks one button and they are in.
  • Stronger security - Leverage your IdP's security policies (MFA, conditional access, device trust) for Omnivoo logins.
  • Compliance - Meet enterprise security requirements that mandate centralized authentication.

Supported Protocols

Omnivoo supports two industry-standard SSO protocols:

ProtocolBest ForHow It Works
SAML 2.0Enterprises with Okta, Azure AD, or PingIdentityXML-based assertion exchange between your IdP and Omnivoo
OIDC (OpenID Connect)Organizations using Google Workspace or modern IdPsToken-based authentication built on OAuth 2.0

Both protocols provide the same end-user experience. Choose whichever your identity provider supports or your IT team prefers.

How SSO Works with Omnivoo

  1. A user goes to app.omnivoo.com and enters their company email.
  2. Omnivoo detects that the email domain has SSO configured.
  3. The user clicks Continue with SSO and is redirected to your company's identity provider.
  4. The user authenticates with their company credentials (and any MFA your IdP requires).
  5. The IdP sends a signed assertion back to Omnivoo confirming the user's identity.
  6. Omnivoo logs the user in automatically.
info

SSO is tied to your company's verified email domain. Users with an email address on that domain see the SSO option. For the end-user walkthrough, see Logging In with SSO.

Where Admins Set Up SSO

SSO is configured by a company admin, not on the login page. Open the avatar menu > Company Settings, find the Single Sign-On card, and click Configure SSO (this opens /employer/settings/sso). From there you verify your domain, add a SAML or OIDC connection, optionally enable SCIM provisioning, and set the authentication policy. The full step-by-step guide lives at Setting Up SSO.

Compatible Identity Providers

Omnivoo works with any SAML 2.0 or OIDC-compliant identity provider. Commonly used providers include:

  • Okta
  • Microsoft Azure AD / Entra ID
  • Google Workspace
  • OneLogin
  • PingIdentity

If your provider is not listed here but supports SAML 2.0 or OIDC, it will work with Omnivoo.

Authentication Policies

When you enable SSO, you choose an authentication policy that controls how your team can log in:

In Company Settings, the policy is labelled exactly as shown below:

PolicyEmail OTP / GoogleWhat members see
Any method (password or SSO)AvailableThe normal login screen, with Continue with SSO offered as an extra option
SSO preferred (password allowed as fallback)AvailableSame as Any method -- the email/OTP form is shown, with SSO offered alongside it
SSO required (no password login)BlockedAn SSO-only login card; email OTP and Google are not accepted

What Happens When SSO Is Required

When you set the policy to SSO required:

  • Email OTP and Google sign-in are blocked for all company members, including the company owner.
  • Members who try to log in with OTP will see a message directing them to use SSO.
  • Only authentication through your configured identity provider is accepted.
warning

There is no email-OTP break-glass for SSO required. Every member must sign in through your identity provider. Configure and test your SSO connection thoroughly before switching the policy to SSO required, otherwise members with no SSO-enabled email domain can be locked out.

What's Next?