Single Sign-On (SSO) Setup Guide
Overview
Ansehn supports Enterprise Single Sign-On (SSO), allowing your organization to authenticate team members using your existing Identity Provider (IdP). This provides centralized access control, improved security, and a seamless sign-in experience.
Prerequisites
- An active Ansehn subscription with SSO enabled (Enterprise plan)
- Administrator access to your organization's Identity Provider
- Owner or Admin role in your Ansehn organization
Supported Identity Providers
| Provider | Protocol | Status |
|---|---|---|
| Microsoft Entra ID (Azure AD) | OIDC | Fully Supported |
| Google Workspace | OIDC | Fully Supported |
| Okta | OIDC | Fully Supported |
| OneLogin | OIDC | Fully Supported |
| Auth0 | OIDC | Fully Supported |
| JumpCloud | OIDC | Fully Supported |
| Ping Identity | OIDC | Fully Supported |
Any OIDC-compliant identity provider should work with Ansehn SSO.
Quick Start
Step 1: Configure Your Identity Provider
Create an application in your IdP using these settings:
Callback URL:
https://www.ansehn.com/api/auth/callback/sso
Required Scopes: openid, profile, email
See IdP-Specific Instructions below for detailed setup guides.
Step 2: Add SSO Provider in Ansehn
- Log in to Ansehn as an Owner or Admin
- Go to Organization Settings → Single Sign-On
- Click Add Provider and enter:
| Field | Description | Example |
|---|---|---|
| Provider Name | A unique identifier | acme-corp-sso |
| Domain | Your company email domain | acme.com |
| Issuer URL | OIDC issuer URL from your IdP | https://login.microsoftonline.com/{tenant}/v2.0 |
| Client ID | Application/Client ID from your IdP | 12345678-abcd-... |
| Client Secret | Client secret from your IdP | *** |
Step 3: Wait for Approval
After submitting your configuration:
- Status will show Pending Approval
- The Ansehn team will verify your configuration (typically 1-2 business days)
- Once approved, status changes to Active
- Your team can sign in using Enterprise SSO
Need expedited activation? Contact support@ansehn.com
Step 4: Sign In with SSO
Once approved, users can sign in:
- Go to the Ansehn sign-in page
- Click Enterprise SSO
- Enter their work email address
- Click Continue with SSO
- Complete authentication with your IdP
IdP-Specific Instructions
Microsoft Entra ID (Azure AD)
1. Register the Application
- Go to Azure Portal → Microsoft Entra ID → App registrations
- Click New registration
- Configure:
- Name:
Ansehn - Supported account types: Accounts in this organizational directory only
- Redirect URI: Web →
https://www.ansehn.com/api/auth/callback/sso
- Name:
- Click Register
2. Create Client Secret
- Note the Application (client) ID from the overview page
- Go to Certificates & secrets → New client secret
- Add a description and expiry, then click Add
- Immediately copy the secret value (you won't be able to view it again)
3. Find Your Issuer URL
Your Issuer URL is:
https://login.microsoftonline.com/{TENANT_ID}/v2.0
Find your Tenant ID in the Overview section of Microsoft Entra ID.
Configuration Summary:
- Issuer URL:
https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0 - Client ID: Your Application (client) ID
- Client Secret: The secret value you copied
Google Workspace
1. Create OAuth Credentials
- Go to Google Cloud Console
- Select or create a project
- Go to APIs & Services → Credentials
- Click Create Credentials → OAuth client ID
- If prompted, configure the OAuth consent screen first
2. Configure OAuth Client
- Application type: Web application
- Name:
Ansehn SSO - Authorized redirect URIs:
https://www.ansehn.com/api/auth/callback/sso - Click Create
- Note the Client ID and Client Secret
Configuration Summary:
- Issuer URL:
https://accounts.google.com - Client ID: Your OAuth Client ID
- Client Secret: Your OAuth Client Secret
Okta
1. Create App Integration
- Log in to your Okta Admin Console
- Go to Applications → Create App Integration
- Select OIDC - OpenID Connect and Web Application
- Click Next
2. Configure App Settings
- App integration name:
Ansehn - Grant type: Authorization Code
- Sign-in redirect URIs:
https://www.ansehn.com/api/auth/callback/sso - Sign-out redirect URIs:
https://www.ansehn.com - Controlled access: Choose appropriate option
- Click Save
3. Get Credentials
Note the Client ID and Client Secret from the application settings.
Configuration Summary:
- Issuer URL:
https://yourcompany.okta.com/oauth2/default - Client ID: Your Okta Client ID
- Client Secret: Your Okta Client Secret
OneLogin
1. Add Application
- Log in to OneLogin Admin Console
- Go to Applications → Add App
- Search for OpenID Connect (OIDC) and select it
- Enter display name:
Ansehn
2. Configure SSO Settings
- Go to the SSO tab
- Note the Client ID and Client Secret
- Set Token Endpoint to: POST
- Set Application Type to: Web
3. Configure Redirect URI
- Go to the Configuration tab
- Set Redirect URI:
https://www.ansehn.com/api/auth/callback/sso
Configuration Summary:
- Issuer URL:
https://YOUR_SUBDOMAIN.onelogin.com/oidc/2 - Client ID: Your OneLogin Client ID
- Client Secret: Your OneLogin Client Secret
User Provisioning
When users sign in via SSO for the first time:
- An account is automatically created using their IdP profile
- They are added to your organization
- Default role: Member
Admins can adjust user roles in Organization Settings → Team.
Managing SSO
Viewing Status
The SSO settings page shows:
- Configured providers
- Approval status: Pending Approval, Active, or Rejected
- Rejection reason (if applicable)
SSO Status Values
| Status | Description |
|---|---|
| Pending Approval | Configuration submitted, awaiting review |
| Active | SSO is approved and ready for sign-in |
| Rejected | Configuration was rejected (see reason) |
Deleting a Provider
- Go to Organization Settings → Single Sign-On
- Click the delete icon next to the provider
- Confirm deletion
Note: Deleting a provider prevents SSO sign-in. Users can still sign in with email/password or Google.
Security Best Practices
- Rotate client secrets periodically (e.g., every 90 days)
- Use groups in your IdP to manage access instead of individual users
- Enable MFA in your IdP for additional security
- Review access regularly to ensure only authorized users have SSO access
- Monitor sign-ins through your IdP's audit logs
Troubleshooting
"SSO is not configured for this email domain"
- Verify SSO is configured for your domain in Ansehn
- Ensure the SSO provider status is Active
- Check you're using the correct email domain
"SSO is pending approval"
- Your configuration is awaiting Ansehn team review
- Approval typically takes 1-2 business days
- Contact support@ansehn.com for expedited review
"Invalid redirect URI"
Ensure the callback URL in your IdP is exactly:
https://www.ansehn.com/api/auth/callback/sso
Check for trailing slashes or typos.
"Authentication failed"
- Verify Client ID and Client Secret are correct
- Ensure the user is assigned to the application in your IdP
- Check that required scopes (
openid,profile,email) are enabled
"OIDC discovery failed"
- Verify your issuer URL is correct
- Ensure your IdP is accessible from the internet
- Test by visiting
{issuer-url}/.well-known/openid-configurationin your browser
Configuration Rejected
- Check the rejection reason in your SSO settings
- Correct the issue (e.g., wrong issuer URL, domain mismatch)
- Delete the rejected configuration and submit a new one
FAQ
Q: Can I use multiple IdPs for my organization? A: Currently, each organization can have one SSO provider per domain. Contact support for multi-IdP requirements.
Q: What happens to existing users when SSO is enabled? A: Existing users can continue signing in with email/password or Google. Once they sign in via SSO, their account is linked to the IdP.
Q: Can users sign in with both SSO and email/password? A: Yes, both methods work. We recommend SSO for better security and user experience.
Q: Is SSO available on all plans? A: SSO is available on Enterprise plans. Contact sales for pricing information.
Q: How long does SSO approval take? A: Typically 1-2 business days. Contact support@ansehn.com for expedited review.
Support
Need help with SSO configuration?
- Email: support@ansehn.com
- Enterprise Support: Contact your account manager