SSO is an organization-level feature configured by admins under
Settings → Security → SSO, and is available on plans that include SSO
(Enterprise). Domain ownership and the identity-provider connection are managed
per organization.
How it works
- You prove ownership of one or more email domains (for example
acme.com) with a DNS record. - You connect your OIDC identity provider and attach it to those domains.
- When a member signs in with an email on a verified domain, Meteroid routes them to your IdP through the standard OIDC authorization-code flow.
- Optionally, you can require SSO for those domains and auto-provision members on their first sign-in.
Before you begin
- You are an organization admin.
- You can add a DNS TXT record for the domain you want to use.
- You can create an OIDC application in your identity provider.
Step 1 — Verify your domain
Only verified domains route logins, so start here. Go to Settings → Security → Domains.1
Add your domain
Enter your organization’s email domain (for example
acme.com) and click
Add domain.2
Add the DNS TXT record
Meteroid shows a TXT record to publish at your DNS provider:
Some DNS providers append the domain automatically. If yours does, enter
just
_meteroid-challenge as the name.3
Verify
Click Verify domains. DNS can take a few minutes to propagate, so if the
domain is still Pending, wait and re-check (there’s a short cooldown
between checks). Once the record is found, the domain flips to Verified.
Step 2 — Create the OIDC application in your identity provider
In Settings → Security → SSO, copy the Redirect URI shown in-app (it ends in/sso/callback) — you’ll register this exact value in your provider.
Then create an OIDC application and collect its Issuer URL, Client ID,
and Client secret.
- Google Workspace
- Microsoft Entra ID
- Okta
- Auth0
- Other (OIDC)
Create an OAuth 2.0 Client ID (type: Web application) in Google Cloud
Console → APIs & Services → Credentials, and add the Meteroid redirect
URI as an authorized redirect URI.
- Issuer:
https://accounts.google.com
Step 3 — Configure the connection in Meteroid
Back in Settings → Security → SSO, fill in the connection:- Identity provider — pick your provider to prefill the issuer, or choose Other (OIDC).
- Issuer URL, Client ID, Client secret — from the app you just created.
- Email domains — the domains this provider covers, space- or comma-separated. Only domains you verified in Step 1 will route logins.
openid email profile).
Click Create connection. New connections are always created disabled — you
enable them in the next step.
Step 4 — Enable SSO
Once at least one attached domain is Verified, turn on Enable SSO. Members on your verified domains will now see a Continue with SSO option on the login screen.Require SSO (enforcement)
Turn on Require SSO to refuse password and social sign-in for your verified domains — members on those domains must sign in through your identity provider.Auto-provision members
With Auto-provision members enabled (the default), a member account is created and added to your organization on their first successful SSO sign-in — no invite required. When a member signs in through an invite link, they join with the role from the invite instead of the default membership.How members sign in
Login is email-first:- The member enters their email and clicks Continue.
- Meteroid looks up the identity provider for that email’s domain.
- If SSO is required for the domain, they’re sent straight to your IdP. Otherwise the password field appears alongside a Continue with SSO button.
- After authenticating with your IdP, they’re returned to Meteroid and signed in.
Security log
Every SSO and domain action is recorded in the Security log (Settings → Security → Security log), including SSO sign-ins, connection created/updated/removed, the requirement being turned on or off, and domains added, verified, or removed. See Security Management.Managing the connection
- Edit configuration — update the provider, endpoints, domains, or secret. Leave the client secret blank to keep the stored one.
- Remove — deletes the connection. Members fall back to password and social sign-in, and enforcement (if on) is lifted immediately.