Skip to main content

Set up Single Sign-On (SSO)

To make logging into awork even easier and more secure, awork supports the OpenID Connect standard of many providers.

Written by Tobias Hagenau
Updated over 3 weeks ago

Single Sign-On (SSO) lets teammates log in using an existing account with a supported Identity Provider, so they don’t need to create an awork password.

SSO is only available in the awork Enterprise plan.

Important: awork does not support SAML 2.0. awork uses the OpenID-Connect standard based on OAuth 2.0.

Key benefits and use cases

SSO keeps logins simple and consistent:

  • Let teammates use existing Identity Provider accounts instead of setting a new awork password

  • Use modern OpenID Connect login based on OAuth 2.0

  • Optionally disable other login methods once SSO is configured

How to set up Single Sign-On (SSO)

Choose a supported identity provider

Supported identity providers include:

If you can’t find your identity provider in this list, please contact us directly and we will check if we can provide a connection.

Set up SSO in awork

  1. Navigate to Settings > Integrations

  2. Open the Integration library and select your provider

  3. Fill in the fields shown for your provider, then click Save

Note: Subdomain does not mean your awork workspace URL. It means the provider’s subdomain.

Enable the required redirect URLs

Enable these redirect URLs with your identity provider:

https://app.awork.com/enterprise-login
https://app.awork.com/api/v1/accounts/authorize-slack
https://app.awork.com/api/v1/accounts/external/{name of login provider}
https://app.awork.com/api/v1/accounts/msteams/authorize
https://app.awork.com/api/v1/accounts/authorize

Service-specific redirect URLs:

Set up Okta SSO

  1. Open the Okta configuration at YOUR-SUBDOMAIN.okta.com/admin

  2. Go to the Applications section

  3. Add a new application and name it (for example) awork

  4. From the application details, copy the Client-ID, Client-Secret, and Subdomain into awork, then click Save

Important: Login redirect URIs must be set correctly, or Okta can’t redirect users properly. The Implicit (Hybrid) flow (including the ID Token grant type) must be enabled. User consent is not needed because awork only accesses the user’s name and email at login.

In the Okta app’s Login section, set:

  1. Initiate login URL:

    AWORK_SUBDOMAIN.awork.com/login

  2. Login redirect URIs:

    https://app.awork.com/enterprise-loginhttps://app.awork.com/api/v1/accounts/authorize-slackhttps://app.awork.com/api/v1/accounts/external/oktahttps://app.awork.com/api/v1/accounts/msteams/authorizehttps://app.awork.com/api/v1/accounts/authorize

Set up Auth0 SSO

  1. Open the Auth0 configuration

  2. Go to Applications

  3. Add a new application with type Regular Web Applications and name it (for example) awork

  4. Copy the Client-ID, Client-Secret, and Subdomain into awork, then click Save

  5. In the section Application URIs, set these URLs:

    1. Application login URl:

      AWORK_SUBDOMAIN.awork.com/login

    2. Allowed callback URIs:

      https://app.awork.com/enterprise-login,https://app.awork.com/api/v1/accounts/authorize-slack,https://app.awork.com/api/v1/accounts/external/auth0,https://app.awork.com/api/v1/accounts/msteams/authorize,https://app.awork.com/api/v1/accounts/authorize

    3. Allowed web origins:

      AWORK_SUBDOMAIN.awork.comapp.awork.com

Hint: All other settings are already set correctly by default.

Set up OneLogin SSO

  1. Open the OneLogin configuration under SUBDOMAIN.onelogin.com

  2. Go to the Applications section

  3. Click Add App in the upper right corner and name it (for example) awork

  4. Select OpenID Connect (OIDC) as type and name it (for example) and save

  5. In the app’s SSO section, copy the client ID and client secret. Copy the subdomain from your OneLogin URL ({subdomain}.onelogin.com). Enter these values in awork and click Save

  6. In the app’s Configuration section, enable these URIs:

    1. Login URl:

      AWORK_SUBDOMAIN.awork.com/login

    2. Redirect URIs:

      https://app.awork.com/enterprise-login
      https://app.awork.com/api/v1/accounts/authorize-slack
      https://app.awork.com/api/v1/accounts/external/onelogin
      https://app.awork.com/api/v1/accounts/msteams/authorize
      https://app.awork.com/api/v1/accounts/authorize

Set up Microsoft Entra ID (formerly Azure AD) SSO

  1. Open the Entra ID configuration in your Azure portal

  2. Under Manage, click App Registrations

  3. Click New registration and name it (for example) awork SSO

  4. Set Supported account types to Accounts in this organizational directory only (your domain only - Single tenant) and add this redirect URL for the Web platform: https://app.awork.com/enterprise-login. Then click Register

5. In the Overview section, you'll find the Application (client) ID (= awork Client Id) and the Directory (tenant) ID (= awork subdomain)

6. In Certificates and Secrets, create a new client secret and enter it into awork as the Client Secret.

Important: Copy the Value (not the Secret ID).

For secret rotation, you need to delete the SSO integration in awork and re-add it with the new secret.

7. In Authentication, add these redirection URIs for a web platform:

https://app.awork.com/enterprise-login
https://app.awork.com/api/v1/accounts/authorize-slack
https://app.awork.com/api/v1/accounts/external/azure
https://app.awork.com/api/v1/accounts/msteams/authorize
https://app.awork.com/api/v1/accounts/authorize

For Implicit grant and hybrid flows, select ID tokens. For supported account types, choose Accounts in this organizational directory only (your domain only - Single tenant).

This login flow uses the preferred_username claim of the Entra user by default. If you want to use the upn claim instead, add it as an optional claim in Token configuration:

  • Token type: ID

  • Claim: upn

Then click Add.

Important: The upn optional token claim is only supported for tenant-based app registrations and not for personal Microsoft accounts. Make sure this is correctly configured in the Authentication section.

Set up GSuite SSO

  1. Go to https://console.cloud.google.com/apis/credentials and select the project you want to use for SSO

  2. Click Create Credentials and select OAuth Client ID

  3. Select Web Application as the type

  4. Set a name (for example) awork

  5. Add these Redirect URIs:

    https://app.awork.com/enterprise-login
    https://app.awork.com/api/v1/accounts/authorize-slack
    https://app.awork.com/api/v1/accounts/external/azure
    https://app.awork.com/api/v1/accounts/msteams/authorize
    https://app.awork.com/api/v1/accounts/authorize

  6. Click Create

  7. Copy the client ID and client key (client secret) and enter them in awork

More information about SSO with GSuite can be found here.

Set up Keycloak SSO

Please contact our support if you want to set up Keycloak SSO. This option is not available via the web interface yet (coming soon).

To set up Keycloak SSO via OpenID Connect:

  1. Log in to your Keycloak Admin Console

  2. Go to Clients

    1. Download this client configuration file: Keycloak awork Client Configuration

    2. Drag the file into the Resource file field to pre-fill all required settings

    3. Save the new client

  3. In the Client Details, go to the Credentials tab and copy the Client secret

  4. Go to Realm Settings and find the .well-known/openid-configuration URL at the bottom of the General settings (called OpenID Endpoint Configuration)

    This URL typically looks like: https://{your-keycloak-url}/realms/master/.well-known/openid-configuration

  5. With the Client Id, Client secret, and the .well-known/openid-configuration URL, contact our support so we can configure the integration

Important: The .well-known/openid-configuration URL needs to be available continuously to prevent errors while trying to log in via SSO.

Set up a custom SSO provider (OpenID Connect)

awork supports connecting to custom SSO providers that follow the OpenID Connect standard flow.

Provide the full OpenID Configuration URL (for example https://custom-domain.com/.well-known/openid-configuration) plus the Client ID and Client Secret.

Log in via SSO from app.awork.com

  1. Go to app.awork.com

  2. Select Sign in via SSO

  3. Enter your workspace subdomain

You’re redirected to the SSO login screen (or directly to your awork dashboard if you’re already signed in).

Best practices and considerations

What happens after setup

If the configuration was successful, SSO sign-in becomes available in the login area.

Important: Rights, users, or groups are currently not controlled via the identity provider. SSO only enables login for existing awork user accounts. The user must already exist in awork, and matching is done via the user’s email address.

Disable other login options

If SSO is configured, you can disable and hide other login options (email & password and social login via Google & Apple).

  1. Navigate to Settings > General

  2. Disable the other login options

This is only advisable if no external users (who are not managed via Identity Management) are working in the workspace.

Note: If you remove the SSO settings in awork, login with email and password is automatically enabled again, so you can always log in with your admin account.

Global vs. workspace login pages

If you disabled login via email & password and/or social login (Google & Apple), those options may still appear on the global login page app.awork.com. But, they are hidden under your specific workspace page: YOUR-WORKSPACE-SUBDOMAIN.awork.com.

Login will not be possible from the global page either. Use YOUR-WORKSPACE-SUBDOMAIN.awork.com to log in via SSO.

If SSO is configured, you’ll see Sign in via SSO and will be redirected to the SSO login screen (or directly to your awork dashboard if already signed in).

FAQs

Is SSO available in all awork plans?

No. SSO is only available in the awork Enterprise plan.

Does awork support SAML 2.0 for SSO?

No. awork uses the OpenID-Connect standard based on OAuth 2.0.

Can my identity provider manage rights, users, or groups in awork?

No. Rights, users, and groups are currently not controlled via the identity provider. SSO only enables login for existing awork user accounts matched by email address.

What happens if I remove SSO settings after disabling other login options?

Email and password login will be automatically enabled again, so you can always log in with your admin account.

Can I set up Keycloak SSO in the awork web interface?

Not yet. Please contact support to set up Keycloak SSO, as it is not available via the web interface yet (coming soon).

Related Articles
FAQ
Set up SCIM
Make Integration
MCP server (for ChatGPT)
Did this answer your question?