SSO Integration
Integrate with your organization’s Identity Provider (IdP) to access services via SSO (Single Sign-On) using a federated authentication method.
This guide explains how Organization Administrators can configure an SSO integration using the OIDC (OpenID Connect) protocol.
This feature is available on the Enterprise Plan.
Procedure
The following is a summary of the entire procedure for setting up SSO.
Step 1: Register Organization-Owned Domain
- Purpose: Prove ownership of the organization’s email domain
- Key Tasks: Add domain and verify DNS TXT record
Step 2: Configure OIDC Integration
- Purpose: Configure authentication linkage between the IdP and the service
- Key Tasks: Create OIDC application and enter information
Step 3: Enable SSO Login
- Purpose: Activate SSO function and apply policies
- Key Tasks: Turn on the SSO activation toggle and review policies
SSO Setup
SSO setup consists of two main stages: Registering Organization-Owned Domain and OIDC Integration Setup.
Proceed through each step in order, and finally, activate the SSO login.
Step 1: Register Organization-Owned Domain
This step involves proving ownership of and registering your organization’s email domain.
The domain registered here is used to identify users who will be subject to SSO login.
If this step is skipped, users can only log in directly from the IdP.
- Navigate to Organization Settings > SSO.
- In the Domain Management (HRD) section, click the Add Domain button.
In the popup, enter the email domain used by your organization (e.g.,your-company.com).
- After checking for domain duplication, add the domain. The domain will be added to the list with an initial status of Pending.
- Click the “Details” button for the added domain item to find the verification key value to be registered in the DNS TXT record.
(e.g.,aip-domain-verification=...)
- Go to your organization’s DNS provider’s settings page and add the TXT record value you confirmed.
- After the DNS settings have propagated, return to the SSO settings page and click the “Verify” button for that domain.
If verification is successful, the status will change to Verified.
If it fails, it will be marked as Failed, and you must check the error cause on the details page and correct your DNS settings.
Step 2: Configure OIDC Integration
Create IdP (Identity Provider)
First, you must create an OIDC client application in your IdP (e.g., Okta, Azure AD, etc.).
The following is the Service Provider Information that needs to be set in the application.
| Item | Value | Description |
|---|---|---|
| Grant Type | authorization_code | Authorization Code grant type. Used for server-based applications. |
| Scopes | openid, email, profile | Required OpenID Connect scopes. |
| Client Authentication Method | client_secret_basic | The client authenticates to the IdP using a Basic authentication header during token exchange. |
When you complete the application creation in your IdP, you will be issued a Client ID and Client Secret.
These values must be entered in the next step.
Enter IdP Configuration Information into the Service
- Accurately enter the following information issued from your newly created OIDC application.
- Issuer URL: The unique identifier URL of the IdP (e.g.,
https://idp.your-company.com) - Client ID: The Client ID of the OIDC application
- Client Secret: The Client Secret of the OIDC application
Verify Issuer URL
The Issuer URL must be able to discover the OIDC configuration via the .well-known/openid-configuration endpoint.
- After entering all information, click the “Save” button.
Once the OIDC integration is successfully configured, a
Callback URLandInitial Login URLwill be issued.
These values must be registered in your IdP in the next step.
Register Service Information in the IdP
Register the following information, issued by the service, in your OIDC application.
| Item | Description | Example |
|---|---|---|
| Callback URL | The URL the IdP will redirect to after authentication is complete |  |
| Initial Login URL | The URL used to initiate SSO login directly from the IdP |  |
Step 3: Enable SSO Login
Once all configurations are complete, the final step is to activate the SSO login feature,
allowing users in your organization to log in via SSO.
- Turn on the “Enable SSO” toggle at the top of the SSO Settings page to apply the feature.
- Once SSO is successfully enabled, email addresses corresponding to Verified domains
can no longer use social logins (like Google, GitHub, etc.) and must log in exclusively through the organization’s SSO.
Configuration Edit Restriction
You cannot modify the configuration information while SSO is enabled.
To change the settings, you must first disable SSO.
User Login via SSO
After SSO is enabled, organization users can log in via SSO by following the procedure below.
- On the login page, click the “Using Single Sign-On” button.
- Enter the organization’s email address (using a verified domain) to connect via SSO.
- You will be redirected to your organization’s IdP login page. Complete authentication with your IdP account.
- Upon successful authentication, you will be immediately directed to the organization.
- For new users, a default organization will not be created.
Login Exceptions
- An exception will occur if you enter an email from an unregistered or deactivated domain.
- If no organization domain is set, you cannot restrict social logins for users who do not belong to the organization.