Single Sign-On (SSO)

Available to: Account Administrators Minimum plan: Business

TitanRDM supports Single Sign-On (SSO) using the OpenID Connect (OIDC) standard. Once configured, your team signs in through your organization's identity provider (IdP) — such as Microsoft Entra ID, Okta, or Google Workspace — instead of receiving per-user magic links.

How it works

  • Each account configures its own OIDC client (Client ID, Client Secret, and Discovery/Issuer URL). Credentials are stored encrypted and are scoped to your account only.
  • When SSO is enabled, the sign-in page for your account shows a "Sign in with <your provider>" button. Email magic-link sign-in is disabled for your members.
  • Existing users only. SSO authenticates people who have already been added to your account (their email must match a user in TitanRDM). It does not automatically create new users. Add users first under Admin > Users, then they can sign in via SSO.
  • Break-glass access. The original account creator can still request an email magic link from the sign-in page ("Account administrator? Sign in with email"). This is a recovery path in case the IdP is misconfigured. All other members must use SSO.
  • If your account is downgraded below the Business plan, SSO is automatically deactivated and magic-link sign-in is restored.

Prerequisites

  • Account Administrator group membership
  • An account on the Business plan
  • Administrative access to your identity provider to register an application

Enabling SSO

  1. Navigate to Admin > Account > Account Settings.
  2. Find the Single Sign-On (SSO) card.
  3. Copy the Redirect / Callback URL shown. You'll register this in your IdP. It looks like: 
   https://{your-subdomain}.titanrdm.com/users/auth/openid_connect/callback

Important: This URL is unique to your account's subdomain. Register the exact value shown.

  1. Create an application in your identity provider (see the per-provider guides below) and collect:
    • Client ID
    • Client Secret
    • Discovery / Issuer URL
  2. Back in TitanRDM, fill in:
    • Display Name — the label shown on the sign-in button (e.g. "Acme Entra ID")
    • Discovery / Issuer URL
    • Client ID
    • Client Secret
  3. Tick Enable SSO for this account.
  4. Click Save SSO Settings.

Sign out and visit your account's sign-in page to confirm the SSO button appears and a test login succeeds.

Tip: Update the Client Secret at any time by entering a new value. Leave the secret field blank to keep the existing one.

Discovery / Issuer URL

TitanRDM uses OIDC discovery. Enter your provider's issuer URL — TitanRDM appends /.well-known/openid-configuration automatically. If you paste the full .well-known URL, TitanRDM normalizes it for you.

Provider setup guides

The required scopes are openid, email, and profile. The user's email from the IdP must match an existing TitanRDM user.

Microsoft Entra ID (Azure AD)

  1. In the Azure Portal, go to Microsoft Entra ID > App registrations > New registration.
  2. Give it a name (e.g. "TitanRDM").
  3. Under Redirect URI, choose Web and paste the Callback URL from TitanRDM.
  4. Register the app, then note the Application (client) ID → this is your Client ID.
  5. Go to Certificates & secrets > New client secret. Copy the secret Value → this is your Client Secret.
  6. Your Discovery / Issuer URL is: 
   https://login.microsoftonline.com/{tenant-id}/v2.0

(Find {tenant-id} on the app's Overview page as the Directory (tenant) ID.) 7. Under API permissions, ensure openid, email, and profile (Microsoft Graph delegated) are granted.

Okta

  1. In the Okta Admin Console, go to Applications > Create App Integration.
  2. Choose OIDC - OpenID Connect and Web Application.
  3. Set the Sign-in redirect URI to the Callback URL from TitanRDM.
  4. Assign the app to the appropriate users or groups.
  5. From the application's General tab, copy the Client ID and Client Secret.
  6. Your Discovery / Issuer URL is your Okta org URL: 
   https://{your-org}.okta.com

(Confirm via https://{your-org}.okta.com/.well-known/openid-configuration.)

Google Workspace

  1. In the Google Cloud Console, select or create a project.
  2. Go to APIs & Services > Credentials > Create Credentials > OAuth client ID.
  3. Choose Web application.
  4. Under Authorized redirect URIs, add the Callback URL from TitanRDM.
  5. Create the client and copy the Client ID and Client Secret.
  6. Your Discovery / Issuer URL is: 
   https://accounts.google.com
  1. Ensure the OAuth consent screen is configured and the openid, email, and profile scopes are enabled.

Troubleshooting

SymptomLikely cause
"No account was found for this user"The signed-in IdP email doesn't match a TitanRDM user. Add the user under Admin > Users first.
Redirect/callback error at the IdPThe redirect URI registered in the IdP doesn't exactly match the Callback URL shown in TitanRDM (check subdomain and trailing path).
SSO button doesn't appearSSO is not enabled, the configuration is incomplete, or the account is no longer on the Business plan.
Locked out after a bad configUse the "Account administrator? Sign in with email" option on the sign-in page (available to the account creator) to recover, then fix the configuration.

Related