Skip to main content
Single sign-on (SSO) allows your team members to access the Privy dashboard using your organization’s identity provider. With SSO enabled, team members can authenticate using their existing corporate credentials, eliminating the need to manage separate login credentials for Privy.

How SSO works

When SSO is configured for your account, team members with email addresses from your verified domain are automatically redirected to your organization’s identity provider when logging into the Privy dashboard. After successful authentication, they are redirected back to the dashboard with full access based on their assigned role. SSO authentication integrates seamlessly with Privy’s role-based access control. Learn more about team roles.

Supported identity providers

Privy’s supports all major identity providers, including:
  • Okta
  • Microsoft Entra ID (formerly Azure AD)
  • Google Workspace
  • OneLogin
  • JumpCloud
  • Rippling
  • And any SAML 2.0 compatible identity provider

Prerequisites

Before setting up SSO, ensure:
  • Your account has Admin access to the Privy dashboard
  • Your organization has an active identity provider
  • Your organization’s IT team can configure SAML applications
  • Your team members use email addresses from a domain you control

Setting up SSO

Domain verification

Domain verification ensures that only authorized members of your organization can use SSO to access your Privy account.
  1. Navigate to the Team page in your dashboard
  2. Click on the Authentication tab
  3. In the Single-Sign-On (SSO) section, enter the domain you want to verify (e.g., yourcompany.com)
  4. Add the provided TXT record to your domain’s DNS configuration
  5. Wait for DNS propagation (typically 15 minutes to one hour)
You can verify multiple domains for your account. All verified domains will use the same SSO configuration and identity provider.

Identity provider configuration

After verifying your domain, configure your identity provider to communicate with Privy:
  1. On the Authentication tab, click Configure identity provider
  2. Click Open setup portal to access the configuration interface
  3. In the portal, select your identity provider from the list
  4. Follow the provider-specific instructions to create a new SAML application
  5. Copy the ACS URL and Entity ID from the portal into your identity provider’s configuration
  6. Download the metadata file or copy the SSO URL and certificate from your identity provider
  7. Upload or paste these values in the configuration portal
  8. Test the connection to ensure it’s working correctly
The configuration portal provides step-by-step instructions tailored to your specific identity provider. Follow these carefully to ensure proper configuration.

Using SSO

Once SSO is configured and active, team members can sign in using SSO:

For team members

  1. Go to the Privy dashboard login page
  2. Enter your work email address
  3. You will be automatically redirected to your organization’s identity provider
  4. Authenticate using your corporate credentials
  5. You will be redirected back to the Privy dashboard

For admins

As an Admin, you can still access the dashboard using your original login method if needed. This ensures you can always access your account even if there are issues with the SSO configuration.

Managing SSO

Adding additional domains

You can add multiple domains to your SSO configuration:
  1. Go to the Authentication tab on the Team page
  2. Enter the new domain and press Add
  3. Follow the domain verification process described above
All verified domains will use the same identity provider configuration.

Removing domains

To remove a domain from your SSO configuration:
  1. Navigate to the Authentication tab
  2. Find the domain you want to remove
  3. Click “Delete” in the domain’s dropdown menu
  4. Confirm the removal
Removing your last verified domain will disable SSO for your account. Team members will need to use their original login method to access the dashboard.

Updating identity provider settings

To update your identity provider configuration:
  1. Navigate to the Team page
  2. Click on the Authentication tab
  3. In the SSO configuration section, click Manage configuration
  4. Make your changes in the configuration portal
  5. Test the connection to verify the changes

Security considerations

Automatic account provisioning

By default, automatic account provisioning is disabled. This means only team members who have been explicitly invited can log in via SSO. To enable automatic provisioning:
  1. Navigate to the Team page
  2. Click on the Authentication tab
  3. In the Single-Sign-On (SSO) section, toggle on “Enable automatic account provisioning”
When enabled, users who sign in via SSO for the first time will automatically have their team member account created. New SSO users are assigned the Viewer role by default. An Admin must manually update their role if they need elevated permissions.

Session management

SSO sessions in the Privy dashboard are independent of your identity provider’s sessions. Logging out of your identity provider does not automatically log you out of the Privy dashboard.

Troubleshooting

Domain verification fails

If domain verification is not working:
  • Verify the TXT record was added correctly to your DNS configuration
  • Wait longer for DNS propagation (can take up to 24 hours in some cases)
  • Check for typos in the verification token
  • Ensure the TXT record is added to the root domain, not a subdomain

Users cannot sign in via SSO

If team members are having trouble signing in:
  • Verify the domain is properly verified in the Privy dashboard
  • Ensure the identity provider connection is marked as active
  • Check that the user’s email domain matches a verified domain
  • Test the connection in the configuration portal
  • Verify the user exists in your identity provider

Connection not active

If your SSO connection is not showing as active:
  • Complete all steps in the identity provider configuration
  • Upload or enter all required SAML metadata
  • Test the connection in the configuration portal
For technical issues with SSO configuration, please reach out.

Best practices

Planning your rollout

  • Communicate changes: Notify your team before enabling SSO about the new login process
  • Document backup access: Ensure team members know how to request access if they have login issues

Ongoing management

  • Review regularly: Periodically review which domains are verified and ensure they’re still needed
  • Monitor new users: When new SSO users join, verify they have the appropriate role assigned
  • Keep contact information updated: Ensure your identity provider’s administrator contact information is current

Security recommendations

  • Enable MFA at the identity provider: Require multi-factor authentication in your identity provider for an additional security layer
  • Use the principle of least privilege: Assign the minimum role necessary when promoting SSO users from Viewer
  • Regular access reviews: Audit your team members and their roles periodically