Skip to main content
Single Sign-On lets your team sign in to Meteroid with your company credentials instead of a Meteroid password. Meteroid connects to your identity provider (IdP) over OIDC — Okta, Microsoft Entra ID, Google Workspace, Auth0, and any OIDC-compliant provider are supported.
SSO is an organization-level feature configured by admins under Settings → Security → SSO, and is available on plans that include SSO (Enterprise). Domain ownership and the identity-provider connection are managed per organization.

How it works

  • You prove ownership of one or more email domains (for example acme.com) with a DNS record.
  • You connect your OIDC identity provider and attach it to those domains.
  • When a member signs in with an email on a verified domain, Meteroid routes them to your IdP through the standard OIDC authorization-code flow.
  • Optionally, you can require SSO for those domains and auto-provision members on their first sign-in.
Setup has three parts: verify a domain, connect your identity provider, then enable SSO.

Before you begin

  • You are an organization admin.
  • You can add a DNS TXT record for the domain you want to use.
  • You can create an OIDC application in your identity provider.

Step 1 — Verify your domain

Only verified domains route logins, so start here. Go to Settings → Security → Domains.
1

Add your domain

Enter your organization’s email domain (for example acme.com) and click Add domain.
2

Add the DNS TXT record

Meteroid shows a TXT record to publish at your DNS provider:
Some DNS providers append the domain automatically. If yours does, enter just _meteroid-challenge as the name.
3

Verify

Click Verify domains. DNS can take a few minutes to propagate, so if the domain is still Pending, wait and re-check (there’s a short cooldown between checks). Once the record is found, the domain flips to Verified.

Step 2 — Create the OIDC application in your identity provider

In Settings → Security → SSO, copy the Redirect URI shown in-app (it ends in /sso/callback) — you’ll register this exact value in your provider. Then create an OIDC application and collect its Issuer URL, Client ID, and Client secret.
Create an OAuth 2.0 Client ID (type: Web application) in Google Cloud Console → APIs & Services → Credentials, and add the Meteroid redirect URI as an authorized redirect URI.
  • Issuer: https://accounts.google.com

Step 3 — Configure the connection in Meteroid

Back in Settings → Security → SSO, fill in the connection:
  • Identity provider — pick your provider to prefill the issuer, or choose Other (OIDC).
  • Issuer URL, Client ID, Client secret — from the app you just created.
  • Email domains — the domains this provider covers, space- or comma-separated. Only domains you verified in Step 1 will route logins.
Meteroid resolves the authorization, token, and userinfo endpoints automatically from the issuer’s discovery document. If your provider needs them set by hand, expand Advanced to enter the endpoints manually and adjust the requested scopes (default: openid email profile). Click Create connection. New connections are always created disabled — you enable them in the next step.

Step 4 — Enable SSO

Once at least one attached domain is Verified, turn on Enable SSO. Members on your verified domains will now see a Continue with SSO option on the login screen.
Test the sign-in flow with your own account before rolling SSO out to the team, and especially before requiring it.

Require SSO (enforcement)

Turn on Require SSO to refuse password and social sign-in for your verified domains — members on those domains must sign in through your identity provider.
Enforcement disables password and social login for everyone on the verified domains. Confirm SSO works end to end first, or you risk locking your team out.

Auto-provision members

With Auto-provision members enabled (the default), a member account is created and added to your organization on their first successful SSO sign-in — no invite required. When a member signs in through an invite link, they join with the role from the invite instead of the default membership.

How members sign in

Login is email-first:
  1. The member enters their email and clicks Continue.
  2. Meteroid looks up the identity provider for that email’s domain.
  3. If SSO is required for the domain, they’re sent straight to your IdP. Otherwise the password field appears alongside a Continue with SSO button.
  4. After authenticating with your IdP, they’re returned to Meteroid and signed in.

Security log

Every SSO and domain action is recorded in the Security log (Settings → Security → Security log), including SSO sign-ins, connection created/updated/removed, the requirement being turned on or off, and domains added, verified, or removed. See Security Management.

Managing the connection

  • Edit configuration — update the provider, endpoints, domains, or secret. Leave the client secret blank to keep the stored one.
  • Remove — deletes the connection. Members fall back to password and social sign-in, and enforcement (if on) is lifted immediately.