Skip to content

Single Sign-On (SSO)

Capawesome Cloud supports Single Sign-On (SSO), allowing organizations to enforce centralized authentication through their Identity Provider (IdP). With SSO enabled, members of your organization authenticate using your corporate identity management system, providing enhanced security and streamlined access management.

Supported Plans

SSO is only available for organizations on the Enterprise plans with SSO add-on.

How SSO Works

SSO relies on a trust relationship between Capawesome Cloud (the Service Provider, or SP) and your organization's Identity Provider (IdP). When SSO is enabled for your organization, members must authenticate through your IdP to access organization resources:

  1. A user attempts to access organization resources in Capawesome Cloud.
  2. The user is redirected to your Identity Provider's login page.
  3. After successful authentication with the IdP, the user is redirected back to Capawesome Cloud.
  4. Capawesome Cloud verifies the authentication response and grants access to the organization.

Users are identified by their email address. Make sure that the email address associated with your Identity Provider account matches the email address on your Capawesome Cloud account.

Supported Protocols

Capawesome Cloud supports SAML 2.0 for Single Sign-On. This means you can integrate with any SAML-compliant Identity Provider, including Azure AD (Microsoft Entra ID), Okta, OneLogin, Google Workspace, PingIdentity, and many others.

Configuration Guides

We provide step-by-step configuration guides for the following Identity Providers:

Identity Provider Documentation
Azure AD (Microsoft Entra ID) Configuration Guide

If your Identity Provider is not listed above, you can still configure SAML SSO by following the general SAML 2.0 setup process. The required configuration values (Entity ID, Assertion Consumer Service URL, and Sign on URL) are available in your organization's SSO settings.

Configuring SSO

To configure SSO for your organization:

  1. Navigate to your organization settings in the Capawesome Cloud Console.
  2. Scroll to the Single Sign-On (SSO) section.
  3. Follow the configuration guide for your Identity Provider.

Only organization owners and admins can configure SSO settings.

Domain Verification

After configuring SSO, you must verify ownership of your email domain before members can sign in via SSO. This prevents unauthorized SSO provider registration and ensures only domain owners can enable SSO for their domain.

  1. After submitting the SSO configuration, click Verify domain in the success notification or in the SSO settings section.
  2. Add the displayed TXT record to your domain's DNS configuration. Most DNS providers auto-append your domain to the host field.
  3. Wait for DNS propagation (this can take up to 48 hours, but is typically much faster).
  4. Click Verify to confirm domain ownership.

Info

SSO sign-in is blocked until domain verification is complete. Members can still sign in with their email and password during this time.

User Provisioning

Once SSO is configured and your domain is verified, new users are provisioned automatically — no invitation required. When a user signs in through your Identity Provider with an email address matching your organization's verified SSO domain, Capawesome Cloud will:

  1. Create a new user account if one does not already exist.
  2. Add the user to your organization with the member role.

Organization owners and admins can adjust the user's role afterwards if needed.

Existing users

If a user already has a Capawesome Cloud account with an email that does not match your organization's verified SSO domain, they can enable SSO by updating their email address in their account settings to one matching the domain. The new email must be verified before SSO sign-in becomes available.

Requirements

Before configuring SSO, ensure you have:

  • An active Capawesome Cloud organization with an appropriate subscription plan.
  • Administrator access to your Identity Provider (e.g., Azure AD).
  • The ability to create and configure enterprise applications in your IdP.
  • Access to your domain's DNS settings for domain verification.