# Single Sign-On (SSO) Your team already has an identity provider. Why manage another set of passwords? Connect Oh Dear to your organization's IdP and let your team sign in with the credentials they already use. Centralized access control, automatic provisioning, and one less password to worry about. [ Start monitoring ](https://ohdear.app/register) 10 day free trial No credit card required ## One login for your entire team Centralized access through your identity provider When your team grows, managing individual passwords becomes a liability. Someone leaves, and you scramble to revoke access across a dozen services. Someone new joins, and they need yet another password to remember. With SSO, your team signs into Oh Dear using the same credentials they use for everything else. Disable someone in your IdP, and they lose access to Oh Dear automatically. No shared passwords, no forgotten accounts, no access gaps. Available on every plan, because security shouldn't be a premium feature. ## Works with the IdP you already use SAML 2.0 compatible with every major provider Oh Dear supports any SAML 2.0 identity provider. We've built guided setup flows for the most popular ones, so configuration takes minutes, not hours. **Okta**, **Microsoft Entra ID** (Azure AD), **Google Workspace**, **OneLogin**, **JumpCloud**, **Auth0**, **PingFederate** - we have step-by-step instructions for each. Using a different SAML 2.0 provider? That works too. We provide your SP metadata URL, Entity ID, and ACS URL. Copy them into your IdP, paste your IdP details back, and you're done. Test the connection before enabling it for your team. ## Email-first login Seamless for both SSO and password users When your team members visit the login page, they enter their email address. If their domain has SSO configured, they're redirected to your IdP automatically. Non-SSO users see the password field as usual. No separate SSO login page, no special URLs to bookmark. Your team just enters their email and the right thing happens. If you want to go further, you can enforce SSO for all non-owner team members. Password login gets blocked entirely for those users, so there's no way to bypass your organization's authentication policy. ## Enforce SSO, keep a break-glass Security policies with a safety net **Enforce SSO** to require all non-owner team members to authenticate through your IdP. Password login is blocked, API tokens keep working, and your security policy is fully applied. **Team owners always retain password access** as a break-glass mechanism. If your IdP goes down, you can still get into Oh Dear. Every break-glass login is logged for audit purposes. **Domain verification via DNS** proves your organization owns the email domain before SSO can be enabled. No one can hijack your team's authentication by claiming a domain they don't control. **Existing team members** receive a one-time linking email to connect their account to their IdP identity. No silent account linking by email alone. ## Stop worrying, start monitoring Start a no-strings-attached 10-day free trial. You're all set in less than a minute. (No credit card needed.) Not convinced yet? Need help? Get in touch via . ## Built on SAML 2.0 Industry-standard enterprise authentication **SAML 2.0** is the industry standard for enterprise single sign-on. It's supported by every major identity provider and trusted by organizations worldwide. **Certificate rotation** is handled gracefully. Upload a secondary certificate before your primary expires, and Oh Dear validates against both during the transition. We'll notify you at 30, 14, and 7 days before expiry. **Security hardened.** SHA-1 signatures rejected. Audience restriction enforced. Replay protection active. Transient NameIDs blocked. Every assertion is validated against a strict set of rules before we trust it. **API tokens are unaffected.** Your CI/CD pipelines and automation scripts keep working regardless of SSO session state. Tokens are revoked only when a user is removed from the team. ## Want the full setup guide? Step-by-step instructions for Okta, Microsoft Entra ID, Google Workspace, and more. Everything you need to get SSO running. ## Frequently asked questions ### Which identity providers does Oh Dear support? Any SAML 2.0 identity provider, with guided setup for Okta, Microsoft Entra ID, Google Workspace, OneLogin, JumpCloud, Auth0, and PingFederate. If your IdP speaks SAML 2.0, it works. ### Is SSO an enterprise add-on? No. SSO is included on every Oh Dear plan, because security shouldn't be the thing you have to upgrade for. Same goes for two-factor authentication and unlimited users. ### Can I require my whole team to log in through SSO? Yes. You can enforce SSO for everyone on the team, while the owner keeps a password as a break-glass login so you can never lock yourself out. New team members can be provisioned automatically on their first login. ### Does turning on SSO break my API tokens? No. API tokens authenticate separately from your login, so your integrations and automations keep working exactly as before when you switch SSO on. [See all other FAQ items →](https://ohdear.app/docs/faq) ## Start monitoring instantly Start a no-strings-attached 10-day free trial. You're all set in less than a minute. (No credit card needed.) Not convinced yet? Need help? Get in touch via .