What is Single Sign-On?
Single Sign-On (SSO) allows your organization members to sign in to Documenso using your organization’s identity provider instead of managing separate Documenso passwords.Benefits of SSO
Security
- Centralized Authentication: One place to manage user access
- Stronger Security: Leverage your existing security infrastructure
- Quick Revocation: Immediately revoke access when employees leave
- Compliance: Meet regulatory requirements for authentication
- MFA Support: Inherit multi-factor authentication from your IdP
User Experience
- Single Credentials: No need to remember another password
- Faster Login: Seamless authentication if already logged in
- Reduced Password Fatigue: One less password to manage
- Automatic Provisioning: Users join organization automatically
Administration
- Centralized Management: Manage users in one place
- Auto-Provisioning: Automatically create accounts for new users
- Domain-Based Access: Automatically add users from your domains
- Audit Trail: Track authentication through your IdP
SSO is an enterprise feature and may require a specific subscription plan. Contact your administrator or Documenso support for availability.
Supported SSO Providers
Documenso supports SSO via:OIDC (OpenID Connect)
The primary SSO method:- Compatible with most modern identity providers
- Standards-based authentication
- Supports popular providers like:
- Okta
- Auth0
- Azure AD / Microsoft Entra ID
- Google Workspace
- OneLogin
- Keycloak
- Any OIDC-compliant provider
Prerequisites
Before configuring SSO:- Organization admin access in Documenso
- Access to your identity provider’s admin console
- Your organization’s domain verified in Documenso (if using domain-based auto-join)
- OIDC provider details (Client ID, Client Secret, Well-Known URL)
Configuring SSO
Configure Provider
Enter your OIDC provider details:
- Well-Known URL
- Client ID
- Client Secret (if updating)
Set Auto-Provisioning
Configure:
- Auto-provision users (recommended)
- Default organization role for new users
- Allowed domains (optional)
SSO Configuration Fields
Well-Known URL
The OIDC discovery endpoint:- Format:
https://your-provider.com/.well-known/openid-configuration - Provides configuration details to Documenso
- Obtained from your identity provider
- Okta:
https://your-domain.okta.com/.well-known/openid-configuration - Auth0:
https://your-domain.auth0.com/.well-known/openid-configuration - Azure AD:
https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration
Client ID
Your application’s client identifier:- Obtained when registering Documenso with your IdP
- Unique identifier for your organization
- Public value (not secret)
Client Secret
Your application’s client secret:- Obtained when registering Documenso with your IdP
- Keep this value secure
- Required for authentication
- Only shown when creating/updating
Auto-Provision Users
Automatically create accounts:- Enabled: New users are automatically added to your organization
- Disabled: Users must be manually invited
- Recommended for most organizations
Default Organization Role
Role assigned to auto-provisioned users:- Admin: Full administrative access (not recommended for auto-provision)
- Manager: Management capabilities
- Member: Standard user access (recommended default)
Allowed Domains
Restrict which email domains can auto-join:- Leave empty to allow all domains
- Enter specific domains to restrict access
- Separate multiple domains with spaces
- Example:
company.com subsidiary.com
Allowed domains provide additional security by ensuring only users from your organization’s email domains can auto-provision accounts.
Setting Up Your Identity Provider
General steps to configure your IdP:1. Register Documenso as an Application
In your identity provider:- Create a new OIDC application
- Name it “Documenso” or similar
- Note the assigned Client ID
- Generate or note the Client Secret
2. Configure Redirect URLs
Set the callback/redirect URL:3. Configure Scopes
Request these OIDC scopes:openid(required)email(required)profile(recommended)
4. Note Well-Known URL
Find your provider’s OIDC discovery endpoint (well-known URL).5. Assign Users
Assign users or groups who should have access to Documenso.Provider-Specific Guides
Okta
- Go to Applications > Applications in Okta
- Click Create App Integration
- Choose OIDC - OpenID Connect
- Choose Web Application
- Set redirect URI:
https://your-domain/api/auth/callback/oidc - Save and note Client ID and Client Secret
- Well-Known URL:
https://your-domain.okta.com/.well-known/openid-configuration
Azure AD / Microsoft Entra ID
- Go to Azure Active Directory > App registrations
- Click New registration
- Name: “Documenso”
- Redirect URI:
https://your-domain/api/auth/callback/oidc - Register the application
- Note the Application (client) ID
- Go to Certificates & secrets > create new client secret
- Well-Known URL:
https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration
Google Workspace
- Go to Google Cloud Console
- Create or select a project
- Enable Google+ API
- Go to Credentials > Create Credentials > OAuth client ID
- Application type: Web application
- Add authorized redirect URI:
https://your-domain/api/auth/callback/oidc - Note Client ID and Client Secret
- Well-Known URL:
https://accounts.google.com/.well-known/openid-configuration
Auth0
- Go to Applications in Auth0 dashboard
- Click Create Application
- Choose Regular Web Application
- Go to Settings tab
- Add Callback URL:
https://your-domain/api/auth/callback/oidc - Note Client ID and Client Secret
- Well-Known URL:
https://your-domain.auth0.com/.well-known/openid-configuration
Testing SSO Configuration
Before Rolling Out
Testing Procedure
- Log out of Documenso completely
- Go to your organization’s login page:
/o/your-org/signin - Click Sign in with SSO (if shown)
- You should be redirected to your IdP
- Sign in with IdP credentials
- You should be redirected back to Documenso and signed in
Organization Login Page
With SSO enabled, your organization gets a custom login page: URL Format:/o/your-org-url/signin
This page:
- Shows your organization’s branding
- Provides SSO login button
- May still offer email/password option (based on settings)
- Can be shared with organization members
User Experience
First-Time SSO Login
- User goes to organization login page
- Clicks “Sign in with SSO”
- Redirected to identity provider
- Signs in with IdP credentials
- Redirected back to Documenso
- Account auto-created (if auto-provisioning enabled)
- User added to organization with default role
Subsequent Logins
- User goes to organization login page
- Clicks “Sign in with SSO”
- If already authenticated with IdP, immediately signed in
- Otherwise, signs in with IdP credentials
- Redirected back to Documenso
Managing SSO Users
Viewing SSO Users
Identify users who authenticated via SSO:- Check user accounts in organization members
- Review security audit logs for SSO sign-in events
- Users will have SSO provider indicated in their account
Removing SSO Users
To remove a user’s access: Option 1: Remove from Documenso- Go to organization members
- Remove the user
- They lose access to Documenso
- Remove user’s access in your identity provider
- They can no longer authenticate via SSO
- Existing sessions may remain until expiry
- Remove from both for immediate and permanent revocation
Troubleshooting
SSO Login Failed
Possible Causes:- Incorrect Well-Known URL
- Invalid Client ID or Secret
- Redirect URI not configured in IdP
- User not assigned to application in IdP
- OIDC scopes not properly configured
- Verify all configuration values
- Check IdP application settings
- Review IdP logs for errors
- Test with different user
Auto-Provisioning Not Working
Possible Causes:- Auto-provisioning disabled
- User’s email domain not in allowed domains
- IdP not providing email claim
- User already exists with different auth method
- Enable auto-provisioning in settings
- Check allowed domains configuration
- Verify IdP returns email in claims
- Check for existing accounts
Redirect Loop
Possible Causes:- Incorrect redirect URI configuration
- Browser cookie issues
- Session problems
- Verify redirect URI matches exactly
- Clear browser cookies
- Try different browser
- Check for browser extensions blocking cookies
Users Can’t Access Organization
Possible Causes:- Auto-provisioning disabled and user not manually added
- Insufficient permissions in default role
- User not assigned to teams
- Enable auto-provisioning or manually add users
- Verify default role has necessary permissions
- Assign users to appropriate teams
Security Best Practices
Configuration
- Use HTTPS: Always use secure connections
- Secure Client Secret: Store securely, never commit to repositories
- Regular Rotation: Rotate client secrets periodically
- Minimal Scopes: Only request necessary OIDC scopes
Access Control
- Least Privilege: Use most restrictive default role
- Domain Restrictions: Use allowed domains to limit access
- Regular Audits: Review organization members regularly
- MFA Required: Require MFA at IdP level
Monitoring
- Audit Logs: Review security audit logs regularly
- Failed Attempts: Monitor failed SSO attempts
- Unusual Activity: Watch for suspicious sign-in patterns
- Access Reviews: Quarterly access reviews
Disabling SSO
To disable SSO:- Go to organization SSO settings
- Toggle Enable SSO to off
- Confirm the change
- Users must use alternative sign-in methods