SSO is available to enterprise customers only. Contact your account manager or
support@onesignal.com to get started. Having a product owner for SSO from your team on setup calls helps streamline the process.What is SSO?
Single Sign-On lets team members log in to OneSignal using your organization’s identity provider (IdP) instead of a separate username and password. After authenticating once through your IdP, the user receives a token that grants access to OneSignal and your other SaaS applications without additional sign-in prompts. OneSignal supports SAML 2.0 and OpenID Connect (OIDC) protocols. Choose whichever your IdP supports — both provide the same SSO experience in OneSignal.Supported identity providers
| ADP | Duo | OneLogin |
| Auth0 | Google Workspace | Oracle |
| Microsoft Entra ID (Azure AD) | JumpCloud | PingFederate |
| CAS | Keycloak | PingOne |
| ClassLink | LastPass | Rippling |
| Cloudflare | Microsoft ADFS | Salesforce |
| Custom OpenID Connect | miniOrange | Shibboleth |
| Custom SAML | NetIQ | Shibboleth Unsolicited |
| CyberArk | Okta | SimpleSAMLphp |
| VMware |
support@onesignal.com to request it.
Setup
Contactsupport@onesignal.com to begin setup. The support team will provide a setup link and guide you through each step.
Contact support and provide your IdP
Email support with the identity provider you use. The team will send you a setup link and configure the connection on the OneSignal side.
Follow your IdP-specific guide
Each identity provider has a different configuration process. Use the supported identity providers table above to find the guide for yours.
Test your connection
After connecting your IdP, sign in using your SSO credentials to verify the connection works.
Onboard existing team members
Existing OneSignal users can click Continue with Single Sign-On on the sign-in page. Username and password login remains available during testing so messaging is not disrupted while you onboard.Provide support with the email addresses you want to enable for SSO testing.
Add users to your SSO organization
Invite through the dashboard
Organization admins can invite users from the Team Members page. See Team Members for role options and permissions.Invite the user
Go to Team Members and click Invite to Organization. Set the user’s role as you invite them.
Domain restrictions
The invited user’s email domain must be registered under your SSO organization. If you invite someone whose email domain is not part of the organization, an error occurs.
FAQ
Who can use SSO?
SSO is available to enterprise customers only and requires an existing identity provider. If you don’t have an IdP, work with your internal IT team or a consultancy to set one up first. See the pricing page for plan details, or contactsupport@onesignal.com to get started.
Is there a limit on the number of SSO seats?
No. There is no seat limit for users under an SSO organization.How can I test SSO before enforcing it?
Yes — during setup, only the email addresses you specify are enabled for SSO login. Username and password login remains active for everyone else, so messaging continues uninterrupted.Why does SSO use email domains? How many domains can an organization have?
SSO maps email domains to your organization — for example,onesignal.com covers all @onesignal.com email addresses. An organization can have multiple domains registered for SSO login.
How do I provision and de-provision users?
You can add and remove users from the OneSignal dashboard. De-provisioning and provisioning through your IdP directly is not currently supported.I need help finding my organization admin or email domains
Contactsupport@onesignal.com — they can help you identify your organization admin and provide a list of email domains registered to your organization.
What happens if my IdP goes down?
Users with an active session can continue using OneSignal. Users who need to sign in cannot do so until the IdP is restored.Is mixed mode supported (SSO and username/password simultaneously)?
Mixed mode is not officially supported. SSO is intended as the primary login method. One workaround is to separate your apps into two organizations — one with SSO enforcement and one without. Note that organizations are also used for billing, so contact support to discuss the best approach.Can I restrict SSO access to specific users or enforce SSO for a limited group?
Yes. Access to OneSignal through SSO is controlled at two levels:- Identity provider: Most IdPs (e.g., Google Workspace, Okta, Microsoft Entra ID) let you enable or disable apps per user, group, or organizational unit. Configure your IdP to grant the OneSignal app only to the users who need access.
- OneSignal invite: Users must also be invited to your OneSignal organization through the dashboard. Even if a user can authenticate through your IdP, they cannot access OneSignal until an organization admin invites them.
Can I connect more than one IdP to an organization?
No. Each organization supports one IdP. Contact support if you have additional requirements.Team Members
Invite users, assign roles, and manage permissions across your organization.
Pricing
Compare plans and see which features are included at each tier.