Available on the Max plan. Only Organization Owners and Admins can add SSO providers; only Owners can turn on enforcement.
Single Sign-On lets your team sign in through your own identity provider (IdP) instead of a SnapGlyph password. SnapGlyph supports both SAML 2.0 and OIDC (OpenID Connect), so you can connect providers like Okta, Entra ID, Google Workspace, and others.
Where SSO Settings Live
SSO is configured in your organization’s security settings.
- Open Settings.
- Under your organization settings, open the Security tab.
- Scroll to the Single Sign-On (SSO) card.
If your organization is not on the Max plan, this card shows an upgrade notice instead of the setup controls.
Add an Identity Provider
- In the Single Sign-On (SSO) card, click Add provider.
- Choose a Protocol: OIDC (OpenID Connect) or SAML 2.0.
- Enter a Provider ID, a unique slug using lowercase letters, numbers, and hyphens (for example,
acme-okta). This slug is used in your IdP callback URL. - Enter the Email domain your team signs in with (for example,
acme.com). Users with this email domain will sign in through this provider. - Enter the Issuer:
- For OIDC, this is your provider’s issuer URL. SnapGlyph discovers the sign-in endpoints automatically.
- For SAML, this is a unique identifier for the provider (often the IdP entity ID).
- Fill in the protocol-specific fields:
- OIDC: enter the Client ID and Client secret from your IdP.
- SAML 2.0: enter the IdP sign-in URL (entry point) and paste the IdP signing certificate (PEM). SnapGlyph shows the ACS / callback URL and SP metadata URL to configure back in your identity provider.
- Click Add provider to save.
The new provider appears in the list with its protocol and an Unverified badge. A provider cannot be used for sign-in until its domain is verified.
Verify Your Domain
Domain verification proves you control the email domain before SnapGlyph will route those users through your IdP.
- In the provider row, click Verify domain.
- SnapGlyph shows a DNS TXT record with a Name / host and a Value.
- Add that TXT record at your DNS provider.
- Back in SnapGlyph, click Check verification.
DNS changes can take a few minutes to propagate. If the record isn’t found yet, wait a moment and check again. Once verified, the provider’s badge changes to Verified.
Require SSO for a Domain
After a domain is verified, you can enforce SSO so members of that domain must sign in through your identity provider.
- In the verified provider’s row, turn on Require SSO for this domain.
- Confirm the change in the dialog.
When SSO is required, members with an email on that domain can only sign in through SSO. Password and email-link sign-in are blocked for them. Organization Owners keep a password fallback so you can’t be locked out.
Turning enforcement on is limited to Organization Owners. Admins can turn it off if needed.