Documenso
OrganisationsSingle Sign-On

Configuration

Configure Single Sign-On for your team using any OpenID Connect (OIDC) identity provider.

SSO is only available on the Enterprise plan.

Supported Providers

Documenso supports any identity provider that implements the OpenID Connect (OIDC) protocol. Common providers include:

  • Microsoft Entra ID (formerly Azure AD)
  • Google Workspace
  • Okta
  • Auth0
  • OneLogin
  • JumpCloud

Setting Up SSO

You must be an organisation admin or manager to configure SSO.

Access SSO settings

  1. Navigate to your organisation settings
  2. Select Single Sign-On from the sidebar

SSO settings page

Get your redirect URI

At the top of the SSO settings page, you'll find the Redirect URI and Required Scopes. Copy these values - you'll need them when configuring your identity provider.

Configure your identity provider

In your identity provider's admin console, create a new OIDC application with:

  • Redirect URI: The value from the Documenso SSO settings page
  • Scopes: openid, email, profile

After creating the application, note down:

  • Client ID
  • Client Secret
  • OpenID Connect discovery URL (also called "well-known" URL)

Enter SSO configuration

Back in Documenso, enter the following:

  • Issuer URL: Your provider's OpenID Connect discovery endpoint
  • Client ID: The application client ID from your provider
  • Client Secret: The application secret from your provider

Set allowed domains and default role

Configure which email domains can authenticate and what role new users receive (see sections below).

Enable SSO

Toggle Enable SSO portal and click Update to activate SSO for your team.

SSO Configuration Settings

Issuer URL

The OpenID Connect discovery endpoint for your identity provider.

ProviderIssuer URL Format
Google Workspacehttps://accounts.google.com/.well-known/openid-configuration
Microsoft Entra IDhttps://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration
Oktahttps://{your-domain}.okta.com/.well-known/openid-configuration
Auth0https://{your-domain}.auth0.com/.well-known/openid-configuration

Client Credentials

  • Client ID: The unique identifier for your OIDC application
  • Client Secret: The secret key used to authenticate your application

Store your client secret securely. If compromised, regenerate it immediately in your identity provider.

Default Organisation Role

The role assigned to users when they first sign in through SSO. You can change individual roles after they've joined.

Can view and sign documents shared with them.
Can manage documents and organisation settings.
Full access to organisation configuration.

Allowed Email Domains

Restrict which email domains can authenticate through your SSO portal. Enter domains separated by spaces:

example.com subsidiary.example.com

Leave empty to allow any domain authenticated by your identity provider.

Without domain restrictions, anyone who can authenticate with your identity provider can join your team.

User Provisioning

When a user signs in through your SSO portal for the first time:

Verify identity

Documenso verifies their identity with your provider.

A new account is created, or linked if the email already exists.

Add to organisation

The user is added to your organisation with the default role.

Grant access

They can immediately access organisation documents.

Users provisioned through SSO:

  • Cannot change their email address
  • Cannot set a Documenso password (they must use SSO)
  • Are removed from SSO access if removed from your identity provider

Signing In with SSO

Once SSO is enabled, your organisation's SSO portal URL is displayed at the top of the SSO settings page. Share this URL with your members so they can sign in through your identity provider.

SSO-only enforcement is not currently available. Users who have an existing Documenso account with a password can still sign in with their original method in addition to SSO.

Troubleshooting

Testing Your SSO Portal

After configuring SSO, verify it works correctly:

Open portal

Navigate to your portal URL (found at the top of the organisation SSO settings page).

Sign in

Sign in with a test account from your configured domain.

Verify provisioning

Verify the user is provisioned with the correct organisation role.

Custom Subdomain

To reduce friction for your users, create a custom subdomain that redirects to your SSO portal link. For example, documenso.your-organisation.com can redirect to the portal URL shown in your SSO settings.

See Also

On this page

Supported ProvidersSetting Up SSOAccess SSO settingsGet your redirect URIConfigure your identity providerEnter SSO configurationSet allowed domains and default roleEnable SSOSSO Configuration SettingsIssuer URLClient CredentialsDefault Organisation RoleAllowed Email DomainsUser ProvisioningVerify identityCreate or link accountAdd to organisationGrant accessSigning In with SSOTroubleshootingTesting Your SSO PortalOpen portalSign inVerify provisioningCustom SubdomainSee Also