What SSO does
Single Sign-On lets your team members log in with your company's identity provider, such as Okta, Microsoft Entra ID (Azure AD), Google Workspace, or Auth0. You set it up on the SSO page. Only owners and admins can open it. The page title reads Single Sign-On (SSO).
The page has three tabs: Email Domains, OIDC, and SAML 2.0. You can use either OIDC or SAML 2.0, not both at once.
Step 1: Add and verify an email domain
Open the Email Domains tab. SSO starts with proving you own your company's email domain. Domain verification is shared between SAML and OIDC, so you only need to verify once.
- Under Add Email Domain, type your domain (for example,
example.com) and click Add Domain. - The domain shows as Pending Verification. Click How to Verify to open the steps.
- Choose one method: - DNS TXT Record: add a TXT record to your domain's DNS with the value shown. DNS changes can take up to 48 hours. - File Upload: put a text file with the verification code at
https://yourdomain/.well-known/scribblemaps-verify.txt. The file must be reachable over HTTPS. - Click Verify Now. When it works, the page shows "Domain verified successfully!" and the domain reads Verified.
If you cannot verify by DNS or file, email support@scribblemaps.com and the team can verify your domain by hand.
Step 2 (option A): Configure OIDC
Open the OIDC tab.
- Copy the Redirect URI / Callback URL shown under Callback URLs. You give this to your identity provider when you create the app.
- In Quick Setup, you can paste your provider's discovery URL (the
.well-known/openid-configurationURL) and click Import to auto-fill the Authority and provider type. - Fill in the required fields under Provider Settings: - Provider Type - Client ID - Client Secret - Authority / Issuer URL
- Open User Settings to turn on Just-In-Time (JIT) Provisioning, which creates a user account the first time someone logs in with OIDC.
- Open Security Settings to turn on Require Multi-Factor Authentication (MFA) if you want to confirm MFA before login.
- Click Save Settings, then Test Connection. You can also use Test SSO Login to try the full login in a new window.
- Turn on the OIDC SSO enabled switch.
When you create the app in your identity provider, choose Web Application as the type (not SPA or Native), because a Client Secret is required.
Step 2 (option B): Configure SAML 2.0
Open the SAML 2.0 tab.
- Copy the Service Provider (SP) Information to give to your identity provider: the SP Entity ID / Audience URI, the Single Sign-On URL / ACS URL, and the SP Metadata URL.
- In Quick Setup, pick your provider and import its metadata URL to auto-fill the settings.
- Fill in the Identity Provider (IdP) Settings: - IdP Entity ID (Issuer) - IdP Single Sign-On URL - IdP Single Logout URL (optional) - IdP X.509 Certificate in PEM format
- Open Advanced Settings to set the Signature Algorithm (SHA-256 is recommended) and the NameID Format.
- Open User Settings to turn on Just-In-Time (JIT) Provisioning.
- Click Save Settings, then Test Connection. Use Test SSO Login to try the full login.
- Turn on the SAML SSO enabled switch.
Only one protocol at a time
You can only have OIDC or SAML enabled, not both. If you turn one on while the other is already enabled, the page asks if you want to disable the other first. For example, enabling OIDC while SAML is on shows "SAML is currently enabled. Would you like to disable it?" with Disable SAML and Keep Both options.
See your SSO users
Lower on the page, the SSO Provisioned Users card lists people created through SSO. Click Show to open the list and Hide to close it. The table shows each user's Email, Name, Created date, and Last Login. Until anyone signs in this way, it reads "No users have been provisioned via SSO yet."
Comments
0 comments
Please sign in to leave a comment.