Tenant SSO
Connect your organization's identity provider (IdP) so your agents sign in to the tenant app with their existing corporate credentials. ActionConnect supports OIDC providers (Microsoft Entra, Google Workspace, Okta, and any compliant OIDC IdP) using the authorization-code flow with PKCE.
NOTE
SSO authenticates a user at sign-in. If you also want accounts created and kept in sync from your directory in the background, that is a separate feature — see Directory sync.
How sign-in works
- An agent picks your organization's SSO connection on the sign-in screen.
- ActionConnect builds the IdP authorization URL and starts a PKCE exchange; the code verifier is kept in a short-lived, http-only cookie and never reaches the browser's JavaScript.
- The IdP authenticates the user and redirects back to
/api/auth/sso/callback. - ActionConnect exchanges the code for tokens, reads the
id_tokenclaims (sub,email), links or provisions the user, and mints a session.
A CSRF state, a nonce, and the hashed PKCE verifier are stored for exactly one round-trip and consumed on callback, so each login attempt is single-use.
Setting up a connection
A connection holds your IdP's OIDC configuration — issuer/endpoints and client id. Key settings:
| Setting | Purpose |
|---|---|
| Provider | The IdP type (e.g. OIDC / Microsoft / Google). |
| Display name | What agents see on the sign-in screen. |
| Email domain | Auto-selects this connection for users with a matching email domain. |
| Enforce SSO | When on, disables password login for the organization. |
| JIT provisioning | Auto-creates a user on first successful SSO login. |
| Default role | The role assigned to JIT-provisioned users. |
IMPORTANT
The IdP client secret is never stored in your tenant database. It is held as a server-side secret and referenced by the connection. ActionConnect stores only the non-secret OIDC configuration.
Redirect URI
Register this redirect (callback) URI in your IdP application:
https://<your-org>.actionconnect.com/api/auth/sso/callbackJust-in-time (JIT) provisioning
With JIT enabled, the first time someone signs in through your IdP, ActionConnect creates their user automatically and assigns the connection's default role — no manual invite needed. Their account is linked to the IdP subject (sub), and a user may have more than one linked identity. SSO-only users carry no password.
Enforcing SSO
Turn on Enforce SSO to require every agent to sign in through your IdP and disable email-and-password login for the organization. Combine with an email domain so users on your domain are routed to SSO automatically.
Plan gating
SSO is a plan-gated capability (features.sso). If you do not see SSO settings, confirm your plan with ActionConnect.
Production notes
The login flow decodes the IdP id_token to read claims. In production the id_token signature is verified against the provider's jwks_uri, and the client secret is resolved from an encrypted store. These hardening steps are part of the SSO rollout and do not change the setup described above.
Related
- Authentication — the email + password baseline.
- Directory sync — import and reconcile users from Entra.
- Users & roles — what SSO users can do once provisioned.