ops0 supports Single Sign-On via OIDC and SAML 2.0. Connect your identity provider to centralize authentication, enforce corporate login policies, and auto-provision users without manual account creation.
| Provider | Protocol | Notes |
|---|---|---|
| Okta | OIDC or SAML | Recommended for OIDC |
| Azure Active Directory | OIDC or SAML | Use OIDC for simpler setup |
| Google Workspace | OIDC | |
| Auth0 | OIDC | |
| OneLogin | SAML | |
| Any SAML 2.0 IdP | SAML | Generic setup |
Go to Settings > SSO > Add Provider and select OIDC.
Fill in the following fields:
| Field | Description |
|---|---|
| Provider Name | Display label shown on the login screen |
| Client ID | OAuth client ID from your IdP |
| Client Secret | OAuth client secret from your IdP |
| Issuer URL | e.g. https://your-okta-domain.okta.com |
ops0 automatically discovers endpoints (authorization, token, userinfo, JWKS) from the issuer URL using OpenID Connect Discovery.
In your identity provider, add the following as an allowed redirect URI:
https://app.ops0.ai/sso/callback
Click Test Connection to verify the integration, then click Save.
Map groups or attributes from your identity provider to ops0 roles. This runs at login time — users receive the mapped role automatically.
| IdP Group / Attribute | ops0 Role |
|---|---|
engineering-leads | Admin |
developers | Editor |
readonly-team | Viewer |
Configure mappings in Settings > SSO > (select provider) > Role Mappings. If a user matches multiple groups, the highest-privilege role wins.
Restrict SSO login to specific email domains so that only users from your organization can authenticate.
Go to Settings > SSO > (select provider) > Domain Restrictions.
Enter one or more domains (e.g. company.com, subsidiary.com).
Users with email addresses outside the allowed domains will be denied login.
When Auto-Provisioning is enabled, users who authenticate via SSO for the first time are automatically created in ops0 with the role determined by role mapping.
Users are created on first SSO login with the mapped role. No admin action required.
Users must be pre-created in Settings > IAM before they can log in via SSO.
Toggle this setting in Settings > SSO > (select provider) > Auto-Provisioning.
ops0 supports multiple SSO providers simultaneously. All configured providers appear on the login screen and users can choose which one to authenticate with.
This is useful for organizations with multiple identity providers (e.g. Okta for employees and Auth0 for contractors).
Toggle the provider off in Settings > SSO to disable it. Users will fall back to email/password authentication. Existing sessions remain active until they expire.
If you misconfigure SSO and can no longer log in, contact support@ops0.ai with your organization admin email. The support team can disable SSO and restore email/password access.