SSO is available on Enterprise plans or with the Legal & Security package upgrade. Contact your account manager or
support@onesignal.com to get started. Having a product owner for SSO on setup calls helps streamline the process.What is SSO?
Single Sign-On lets team members log in to OneSignal using your organization’s identity provider (IdP) instead of a separate username and password. After authenticating once through your IdP, the user receives a token that grants access to OneSignal and your other SaaS applications without additional sign-in prompts.Supported identity providers
OneSignal supports SAML 2.0 and OpenID Connect (OIDC). Use whichever your IdP supports. The SSO experience is the same.View supported identity providers
View supported identity providers
| ADP | Duo | OneLogin |
| Auth0 | Google Workspace | Oracle |
| Microsoft Entra ID (Azure AD) | JumpCloud | PingFederate |
| CAS | Keycloak | PingOne |
| ClassLink | LastPass | Rippling |
| Cloudflare | Microsoft ADFS | Salesforce |
| Custom OpenID Connect | miniOrange | Shibboleth |
| Custom SAML | NetIQ | Shibboleth Unsolicited |
| CyberArk | Okta | SimpleSAMLphp |
| VMware |
support@onesignal.com to request it.Setup
- Eligibility: Enterprise plans and the Legal & Security package.
- Who sets it up: The person configuring SSO, who must also be a OneSignal org admin.
Steps
Contact support with your details
Email
support@onesignal.com with the following:- Your OneSignal org name and org ID.
- The email domains to enable for SSO. Domains must match exactly (
onesignal.comwon’t coveronesignal.net). You can register multiple domains. - Email addresses of any pilot users to test with first. They must already be members of your organization.
Configure your identity provider
Open the setup link in your browser. Click Configure Identity Provider, select your provider from the list, and follow the on-screen instructions.



Test with pilot users
Pilot users can sign in using the Continue with Single Sign-On option on the login page. Username and password login stays active for everyone else during this period.

Add users to your SSO organization
Once SSO is live, you add new team members by inviting them from the OneSignal dashboard. An org admin sends the invite, the user accepts it, and then they sign in through your identity provider. There’s no limit on the number of users in an SSO organization.The user’s email domain must be one of the domains registered for your SSO organization. See Domain requirements below.
Admin invites the user
Go to Team Members, click Invite to Organization, enter the user’s email address, and assign their role. See Team Members for role options and permissions.



User accepts the invitation
The user receives an email with an Accept invitation link and clicks it.

Domain requirements
SSO maps email domains to your organization. For example,onesignal.com covers every @onesignal.com address. An organization can register multiple domains, so you can cover several email domains under the same SSO setup.
The user’s email domain must be registered under your SSO organization. If you invite someone whose domain is not registered, the invite fails with an error. To add a new domain, contact support@onesignal.com.

FAQ
How do I add or remove users?
Add and remove users from the Team Members page in the OneSignal dashboard. Provisioning and de-provisioning directly through your IdP is not currently supported.Can I limit who can sign in with SSO?
Yes. Access is controlled at two levels, and both must grant access:- Identity provider: Most IdPs (Okta, Google Workspace, Microsoft Entra ID, etc.) let you assign the OneSignal app to specific users, groups, or organizational units.
- OneSignal invite: Users must also be invited to your organization. Authenticating through your IdP alone is not enough.
Can I use SSO and password login at the same time?
Mixed mode isn’t officially supported. SSO is meant to be the primary login method. As a workaround, you can split apps into two organizations (one with SSO, one without). Since organizations also affect billing, contact support to plan this.What happens if my IdP goes down?
Users with an active session can keep working. Users who need to sign in can’t until the IdP is restored.Can I connect more than one IdP?
No. Each organization supports one IdP.Team Members
Invite users, assign roles, and manage permissions across your organization.
Pricing
Compare plans and see which features are included at each tier.
