> ## Documentation Index
> Fetch the complete documentation index at: https://docs.superglue.cloud/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SSO)

> Let your team sign in to superglue with Okta via OpenID Connect

<Info>
  **Enterprise Feature** - SSO is available on superglue Enterprise plans. [Contact
  us](https://cal.com/superglue/superglue-demo) to learn more.
</Info>

superglue supports Single Sign-On through Okta OpenID Connect (OIDC).

When SSO is enabled:

* An **Okta** provider button appears on the login page.
* Users are **provisioned just-in-time** — their superglue account is created on first login, with
  no manual invitation step.
* Organization membership and roles are managed in superglue after the account exists.

***

# Okta

## Configuration

### 1. Create the Okta application

In the Okta admin console, create an **OIDC - Web Application**:

* **Sign-in redirect URI**: `https://<your-superglue-domain>/api/auth/oauth2/callback/okta`
* **Grant type**: Authorization Code (PKCE is used automatically)

Note the **Client ID** and **Client Secret**.

### 2. Set environment variables

| Variable             | Required | Description                                                                            |
| -------------------- | -------- | -------------------------------------------------------------------------------------- |
| `AUTH_PROVIDERS`     | Yes      | Include `okta` in the comma-separated provider list.                                   |
| `OKTA_CLIENT_ID`     | Yes      | OIDC application client ID.                                                            |
| `OKTA_CLIENT_SECRET` | Yes      | OIDC application client secret.                                                        |
| `OKTA_ISSUER`        | Yes      | Your Okta org URL, e.g. `https://your-domain.okta.com` (the Org Authorization Server). |

# Shared behavior

The following applies to Okta SSO deployments.

## Make SSO the only login method

To require everyone to sign in through SSO, enable only the SSO provider and disable email/password:

```bash theme={null}
AUTH_PROVIDERS=okta
OKTA_CLIENT_ID=...
OKTA_CLIENT_SECRET=...
OKTA_ISSUER=https://your-domain.okta.com
```

Only providers listed in `AUTH_PROVIDERS` appear on the login page.

## Provisioning details

* **Provider-driven login.** The login page shows exactly the providers enabled in deployment
  config.
* **Existing users are unaffected.** Email, Google, and GitHub accounts continue to work when their
  providers remain enabled. Enabling Okta only adds a login option.

## Deprovisioning

When a user is deactivated in your identity provider, it stops issuing tokens for them, so they can
no longer sign in to superglue. Their existing superglue account and any active sessions are not
automatically revoked — remove the user from **Control Panel → Organization** if you need to
terminate access immediately.
