OIDC SSO is available on Professional and above. SAML and SCIM (automated provisioning) are Enterprise-only and on the roadmap.
Set Up a Connection
Create an OAuth app in your IdP
In your identity provider, create an OIDC / OAuth app. Add this Redirect URL (shown at the top of the SSO settings):For Google Workspace, set the consent screen to Internal so it’s scoped to your domain.
Enter the connection details
In Settings → SSO Domains, fill in the Issuer URL, Client ID and Client Secret from your IdP. The provider chips fill the issuer for you:
Click Create Connection, then Enable SSO.
| Provider | Issuer URL |
|---|---|
https://accounts.google.com | |
| Microsoft Entra | https://login.microsoftonline.com/<tenant>/v2.0 |
| Okta | https://<your-org>.okta.com |
Verify your domain
Under Verified Domains, claim your domain and add the TXT record shown (
_proprietas-verify.<domain>) at your DNS host, then click Verify. Only verified domains route their users to SSO.Sign in
Sign out, go to proprietas.app/login and enter a work email on the verified domain — you’ll be sent to your IdP and back into the app.
Optional vs Enforced
- Enabled — verified-domain users are routed to SSO, but a magic-link fallback stays available via
/login?recover=1(your break-glass during rollout). - Enforced — magic-link sign-in is blocked for the domain; SSO becomes the only way in. Flip this on once you’ve confirmed a clean round-trip.