Ansehn
Organization Settings

Single Sign-On (SSO) Setup Guide

Overview

Ansehn supports Enterprise Single Sign-On (SSO), allowing your organization to authenticate team members using your existing Identity Provider (IdP). This provides centralized access control, improved security, and a seamless sign-in experience.

Prerequisites

  • An active Ansehn subscription with SSO enabled (Enterprise plan)

  • Administrator access to your organization's Identity Provider

  • Owner or Admin role in your Ansehn organization

Supported Identity Providers

Provider

Protocol

Status

Microsoft Entra ID (Azure AD)

OIDC

Fully Supported

Google Workspace

OIDC

Fully Supported

Okta

OIDC

Fully Supported

OneLogin

OIDC

Fully Supported

Auth0

OIDC

Fully Supported

JumpCloud

OIDC

Fully Supported

Ping Identity

OIDC

Fully Supported

Any OIDC-compliant identity provider should work with Ansehn SSO.

Quick Start

Step 1: Configure Your Identity Provider

Create an application in your IdP using these settings:

Callback URL:

https://www.ansehn.com/api/auth/callback/sso

Required Scopes: openid, profile, email

See IdP-Specific Instructions below for detailed setup guides.

Step 2: Add SSO Provider in Ansehn

  1. Log in to Ansehn as an Owner or Admin

  2. Go to Organization SettingsSingle Sign-On

  3. Click Add Provider and enter:

Field

Description

Example

Provider Name

A unique identifier

acme-corp-sso

Domain

Your company email domain

acme.com

Issuer URL

OIDC issuer URL from your IdP

https://login.microsoftonline.com/{tenant}/v2.0

Client ID

Application/Client ID from your IdP

12345678-abcd-...

Client Secret

Client secret from your IdP

***

Step 3: Wait for Approval

After submitting your configuration:

  1. Status will show Pending Approval

  2. The Ansehn team will verify your configuration (typically 1-2 business days)

  3. Once approved, status changes to Active

  4. Your team can sign in using Enterprise SSO

Need expedited activation? Contact [email protected]

Step 4: Sign In with SSO

Once approved, users can sign in:

  1. Go to the Ansehn sign-in page

  2. Click Enterprise SSO

  3. Enter their work email address

  4. Click Continue with SSO

  5. Complete authentication with your IdP

IdP-Specific Instructions

Microsoft Entra ID (Azure AD)

1. Register the Application

  1. Go to Azure PortalMicrosoft Entra IDApp registrations

  2. Click New registration

  3. Configure:

    • Name: Ansehn

    • Supported account types: Accounts in this organizational directory only

    • Redirect URI: Webhttps://www.ansehn.com/api/auth/callback/sso

  4. Click Register

2. Create Client Secret

  1. Note the Application (client) ID from the overview page

  2. Go to Certificates & secretsNew client secret

  3. Add a description and expiry, then click Add

  4. Immediately copy the secret value (you won't be able to view it again)

3. Find Your Issuer URL

Your Issuer URL is:

https://login.microsoftonline.com/{TENANT_ID}/v2.0

Find your Tenant ID in the Overview section of Microsoft Entra ID.

Configuration Summary:

  • Issuer URL: https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0

  • Client ID: Your Application (client) ID

  • Client Secret: The secret value you copied

Google Workspace

1. Create OAuth Credentials

  1. Go to Google Cloud Console

  2. Select or create a project

  3. Go to APIs & ServicesCredentials

  4. Click Create CredentialsOAuth client ID

  5. If prompted, configure the OAuth consent screen first

2. Configure OAuth Client

  1. Application type: Web application

  2. Name: Ansehn SSO

  3. Authorized redirect URIs: https://www.ansehn.com/api/auth/callback/sso

  4. Click Create

  5. Note the Client ID and Client Secret

Configuration Summary:

  • Issuer URL: https://accounts.google.com

  • Client ID: Your OAuth Client ID

  • Client Secret: Your OAuth Client Secret

Okta

1. Create App Integration

  1. Log in to your Okta Admin Console

  2. Go to ApplicationsCreate App Integration

  3. Select OIDC - OpenID Connect and Web Application

  4. Click Next

2. Configure App Settings

  1. App integration name: Ansehn

  2. Grant type: Authorization Code

  3. Sign-in redirect URIs: https://www.ansehn.com/api/auth/callback/sso

  4. Sign-out redirect URIs: https://www.ansehn.com

  5. Controlled access: Choose appropriate option

  6. Click Save

3. Get Credentials

Note the Client ID and Client Secret from the application settings.

Configuration Summary:

  • Issuer URL: https://yourcompany.okta.com/oauth2/default

  • Client ID: Your Okta Client ID

  • Client Secret: Your Okta Client Secret

OneLogin

1. Add Application

  1. Log in to OneLogin Admin Console

  2. Go to ApplicationsAdd App

  3. Search for OpenID Connect (OIDC) and select it

  4. Enter display name: Ansehn

2. Configure SSO Settings

  1. Go to the SSO tab

  2. Note the Client ID and Client Secret

  3. Set Token Endpoint to: POST

  4. Set Application Type to: Web

3. Configure Redirect URI

  1. Go to the Configuration tab

  2. Set Redirect URI: https://www.ansehn.com/api/auth/callback/sso

Configuration Summary:

  • Issuer URL: https://YOUR_SUBDOMAIN.onelogin.com/oidc/2

  • Client ID: Your OneLogin Client ID

  • Client Secret: Your OneLogin Client Secret

User Provisioning

When users sign in via SSO for the first time:

  • An account is automatically created using their IdP profile

  • They are added to your organization

  • Default role: Member

Admins can adjust user roles in Organization SettingsTeam.

Managing SSO

Viewing Status

The SSO settings page shows:

  • Configured providers

  • Approval status: Pending Approval, Active, or Rejected

  • Rejection reason (if applicable)

SSO Status Values

Status

Description

Pending Approval

Configuration submitted, awaiting review

Active

SSO is approved and ready for sign-in

Rejected

Configuration was rejected (see reason)

Deleting a Provider

  1. Go to Organization SettingsSingle Sign-On

  2. Click the delete icon next to the provider

  3. Confirm deletion

Note: Deleting a provider prevents SSO sign-in. Users can still sign in with email/password or Google.

Security Best Practices

  1. Rotate client secrets periodically (e.g., every 90 days)

  2. Use groups in your IdP to manage access instead of individual users

  3. Enable MFA in your IdP for additional security

  4. Review access regularly to ensure only authorized users have SSO access

  5. Monitor sign-ins through your IdP's audit logs

Troubleshooting

"SSO is not configured for this email domain"

  • Verify SSO is configured for your domain in Ansehn

  • Ensure the SSO provider status is Active

  • Check you're using the correct email domain

"SSO is pending approval"

  • Your configuration is awaiting Ansehn team review

  • Approval typically takes 1-2 business days

  • Contact [email protected] for expedited review

"Invalid redirect URI"

Ensure the callback URL in your IdP is exactly:

https://www.ansehn.com/api/auth/callback/sso

Check for trailing slashes or typos.

"Authentication failed"

  • Verify Client ID and Client Secret are correct

  • Ensure the user is assigned to the application in your IdP

  • Check that required scopes (openid, profile, email) are enabled

"OIDC discovery failed"

  • Verify your issuer URL is correct

  • Ensure your IdP is accessible from the internet

  • Test by visiting {issuer-url}/.well-known/openid-configuration in your browser

Configuration Rejected

  1. Check the rejection reason in your SSO settings

  2. Correct the issue (e.g., wrong issuer URL, domain mismatch)

  3. Delete the rejected configuration and submit a new one

FAQ

Can I use multiple IdPs for my organization?

Currently, each organization can have one SSO provider per domain. Contact support for multi-IdP requirements.

What happens to existing users when SSO is enabled?

Existing users can continue signing in with email/password or Google. Once they sign in via SSO, their account is linked to the IdP.

Can users sign in with both SSO and email/password?

Yes, both methods work. We recommend SSO for better security and user experience.

Is SSO available on all plans?

SSO is available on Enterprise plans. Contact sales for pricing information.

How long does SSO approval take?

Typically 1-2 business days. Contact [email protected] for expedited review.

Support

Need help with SSO configuration?

Was this helpful?