Setting Up SSO

This guide walks you through configuring Single Sign-On for your company on Omnivoo. You will verify your domain, connect your identity provider, and set an authentication policy.

info

SSO configuration requires the Owner or Admin role on your company account.

Step 1: Verify Your Domain

Before configuring SSO, you must prove ownership of your company's email domain.

1. Go to Settings > Single Sign-On.
2. In the Domain Verification section, enter your company domain (e.g., company.com).
3. Click Add Domain.
4. Omnivoo will display a DNS TXT record you need to add:
   • Host / Name: _omnivoo.company.com
   • Value: omnivoo-verify=<token> (a unique token generated for your domain)
5. Add this TXT record in your DNS provider's settings (e.g., Cloudflare, GoDaddy, Route 53).
6. Return to Omnivoo and click Verify.

tip

Omnivoo uses the _omnivoo. subdomain prefix for the TXT record to avoid conflicts with existing TXT records on your root domain (such as SPF or DKIM records).

DNS changes can take up to 48 hours to propagate, though most providers update within a few minutes. If verification fails, wait and try again.

Step 2: Configure Your SSO Connection

After your domain is verified, you can connect your identity provider.

1. In the SSO Configuration section, choose your protocol: SAML or OIDC.
2. Enter the required fields from your identity provider.

SAML Configuration

Field	Description	Where to Find It
Entry Point URL	The URL where Omnivoo sends authentication requests	Your IdP's SSO settings, often called "SSO URL" or "Login URL"
Entity ID	Your IdP's unique identifier	Your IdP's SSO settings, often called "Issuer" or "Entity ID"
Certificate	The public X.509 certificate from your IdP	Download from your IdP's SSO settings (PEM format)

When configuring your IdP, use these values for the Omnivoo service provider:

IdP Field	Omnivoo Value
ACS URL (Assertion Consumer Service)	https://api.omnivoo.com/auth/sso/saml/callback
Entity ID / Audience	https://api.omnivoo.com
Name ID Format	urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

OIDC Configuration

Field	Description	Where to Find It
Issuer URL	The OpenID Connect discovery URL	Your IdP's OIDC settings (e.g., https://accounts.google.com)
Client ID	The application identifier assigned by your IdP	Created when you register Omnivoo as an application in your IdP
Client Secret	The secret key for the application	Generated alongside the Client ID

When configuring your IdP, use this redirect URI:

IdP Field	Omnivoo Value
Redirect URI / Callback URL	https://api.omnivoo.com/auth/sso/oidc/callback

3. Click Save to store the configuration.
4. Click Activate to enable SSO for your domain.

Step 3: Set Your Authentication Policy

After activating SSO, choose how your team will log in:

1. In the Authentication Policy section, select one of the following:

Policy	What It Means
Any Method	SSO is available alongside email OTP and Google login. Members choose how they want to log in.
SSO Preferred	The SSO button is shown first on the login page. OTP and Google are still available as fallback options.
SSO Required	Only SSO login is allowed. Email OTP and Google login are blocked for all company members.

2. Click Save Policy.

warning

Before setting the policy to SSO Required, make sure all team members can successfully authenticate through your identity provider. The company owner retains emergency OTP access as a break-glass mechanism, but no other members will be able to log in without SSO.

Step 4: Test SSO

Before rolling out to your team, verify that SSO works:

1. Log out of Omnivoo.
2. Go to app.omnivoo.com and enter your company email.
3. Click the Continue with SSO button.
4. Verify that you are redirected to your identity provider's login page.
5. Sign in with your company credentials.
6. Confirm that you are logged in to Omnivoo successfully.

If the test fails, double-check your IdP configuration values (Entry Point URL, Certificate, Client ID, etc.) and ensure the callback URLs are entered correctly in your IdP.

IdP-Specific Setup Guides

Okta

1. In Okta, go to Applications > Create App Integration.
2. Select SAML 2.0 (or OIDC if preferred).
3. Set the ACS URL / Redirect URI to the Omnivoo callback URL from the table above.
4. Set the Audience / Entity ID to https://api.omnivoo.com.
5. Copy the Entry Point URL, Entity ID, and Certificate into Omnivoo.

Azure AD / Entra ID

1. In the Azure portal, go to Enterprise Applications > New Application.
2. Select Create your own application and choose Non-gallery application.
3. Under Single sign-on, select SAML.
4. Set the Reply URL (ACS) and Identifier (Entity ID) using the Omnivoo values from the table above.
5. Download the Certificate (Base64) and copy the Login URL into Omnivoo.

Google Workspace

1. In Google Admin, go to Apps > Web and mobile apps > Add custom SAML app.
2. Copy the SSO URL and Certificate from the Google IdP information page.
3. Enter the Omnivoo ACS URL and Entity ID on the service provider details page.
4. Paste the Google values into Omnivoo's SAML configuration.

What's Next?

• SCIM Provisioning — Automate user creation and deactivation from your IdP
• Single Sign-On (SSO) — Overview of SSO concepts and policies
• Logging In with SSO — Share this guide with your team members