Which identity providers does Oh Dear support for SSO?
Oh Dear supports SAML 2.0 single sign-on, which means it works with just about any modern identity provider. We publish step-by-step guides for the most common ones:
- Okta
- Microsoft Entra ID (formerly Azure AD)
- Google Workspace
- OneLogin
- JumpCloud
Any other SAML 2.0-compatible IdP (Auth0, Keycloak, PingIdentity, ADFS, etc.) will work too. You'll just be plugging in the same URLs and certificate that the guided providers use.
What SSO gives you
- Your team signs in with their existing corporate credentials
- You control access centrally through your IdP (deprovisioning a user in Okta removes their Oh Dear access immediately)
- You can require SSO for all team members, so corporate accounts can't bypass it with a personal Oh Dear login
How it's set up
The high-level flow is:
- Verify your domain in Oh Dear by adding a DNS TXT record. This proves you control the email domain you'll require SSO for.
- Configure your IdP with Oh Dear as a SAML application (we provide the metadata URL and certificate).
- Test the connection with a single user before enforcing it team-wide.
- Enforce SSO for all team members once you're confident.
Each Oh Dear team can connect one identity provider. If you have multiple teams (common for agencies or parent organizations), each team manages its own SSO independently.
SCIM provisioning
Automatic user provisioning (SCIM 2.0) is on our roadmap but not available today. Users need to exist on the Oh Dear team (via invitation) before their first SSO login succeeds. If SCIM is a hard requirement for you, let us know so we can factor it into prioritization.
