Skip to main content
Centralize dashboard access in your Identity Provider. Configure firmly Connect to delegate sign-in to any OpenID Connect or SAML 2.0 IdP, scoped per email domain you own.

What you get

Centralized Identity

Your team logs in to firmly Connect using the same Identity Provider they already use everywhere else.

Per-Domain Control

Each verified email domain has its own IdP configuration. Different domains can use different IdPs.

Strict Enforcement

When SSO enforcement is enabled for a domain, OTP and magic-link login are blocked — every user on that domain must authenticate through your IdP.

How SSO works

Setting up SSO is a four-stage flow. You verify ownership of a domain, configure an Identity Provider, bind the IdP to the verified domain, and finally turn on enforcement. You must verify the domain and bind it to an enabled IdP before the SSO Enforced toggle becomes available. This prevents an organization from locking itself out of an unverified domain or a domain with no working IdP.

Per-domain enforcement

Enforcement is scoped to one verified email domain at a time — it is never global. Turning SSO Enforced on for acme.com does not affect users on any other domain. When enforcement is on for a domain:
  • Every user whose email belongs to that domain must complete an SSO sign-in through the bound IdP.
  • One-time-passcode (OTP) and magic-link logins are blocked for that domain. There is no bypass.
  • Users on other (unenforced) domains are unaffected and can continue to log in via OTP or magic link.
You can step back from enforcement without deleting any configuration:
  • Disable the IdP — the Enabled toggle on the IdP form turns enforcement off everywhere it is bound, while preserving the IdP configuration.
  • Toggle SSO Enforced off on a specific domain — users on that domain regain OTP / magic-link access.
Once enforcement is on for a domain, users on that domain who are not provisioned (or not reachable) through the bound IdP will lose dashboard access. Always run a successful Test Connection on the IdP, and try a real SSO sign-in, before turning the SSO Enforced toggle on.

Supported protocols

Generic OpenID Connect

Connect any OIDC-compliant Identity Provider — Okta, Microsoft Entra ID, Google, Auth0, Keycloak, and more.

Generic SAML 2.0

Connect any SAML 2.0-compliant Identity Provider, with optional one-click setup via IdP metadata XML.
Provider-specific templates (Okta, Microsoft Entra ID, Google Workspace, Auth0, OneLogin) appear in the IdP picker as Coming Soon and are not yet selectable. Use the Generic OIDC or Generic SAML guide above — both protocols are fully supported with any compliant provider.

Setup checklist

1

Verify a domain

Add an email domain in Settings → Domains and prove ownership by publishing a DNS TXT record. See Verify a Domain.
2

Add an Identity Provider

Open Settings → Single Sign-On, click Add Identity Provider, and choose Generic OIDC or Generic SAML 2.0.
3

Bind the IdP to your verified domains

On the IdP configuration form, select one or more verified domains under Authorized Domains. At least one domain must be bound before the IdP can be enabled.
4

Enable the IdP and test the connection

Turn the Enabled toggle on, then click Test Connection to perform a live round trip through your IdP. Confirm the test succeeds before moving on.
5

Enforce SSO on the domain

Return to Settings → Domains and turn the SSO Enforced toggle on for each domain you want to lock down. See enforcement details.

Next steps

Verify a Domain

Register and prove ownership of an email domain.

Configure Generic OIDC

Set up an OpenID Connect Identity Provider.

Configure Generic SAML

Set up a SAML 2.0 Identity Provider.