Skip to main content
SSO is available on Enterprise plans or with the Legal & Security package upgrade. Contact your account manager or support@onesignal.com to get started. Having a product owner for SSO on setup calls helps streamline the process.

What is SSO?

Single Sign-On lets team members log in to OneSignal using your organization’s identity provider (IdP) instead of a separate username and password. After authenticating once through your IdP, the user receives a token that grants access to OneSignal and your other SaaS applications without additional sign-in prompts.

Supported identity providers

OneSignal supports SAML 2.0 and OpenID Connect (OIDC). Use whichever your IdP supports. The SSO experience is the same.
ADPDuoOneLogin
Auth0Google WorkspaceOracle
Microsoft Entra ID (Azure AD)JumpCloudPingFederate
CASKeycloakPingOne
ClassLinkLastPassRippling
CloudflareMicrosoft ADFSSalesforce
Custom OpenID ConnectminiOrangeShibboleth
Custom SAMLNetIQShibboleth Unsolicited
CyberArkOktaSimpleSAMLphp
VMware
If your IdP is not listed, contact support@onesignal.com to request it.

Setup

  • Eligibility: Enterprise plans and the Legal & Security package.
  • Who sets it up: The person configuring SSO, who must also be a OneSignal org admin.

Steps

1

Contact support with your details

Email support@onesignal.com with the following:
  • Your OneSignal org name and org ID.
  • The email domains to enable for SSO. Domains must match exactly (onesignal.com won’t cover onesignal.net). You can register multiple domains.
  • Email addresses of any pilot users to test with first. They must already be members of your organization.
Support will send you a setup link once everything is confirmed.
2

Configure your identity provider

Open the setup link in your browser. Click Configure Identity Provider, select your provider from the list, and follow the on-screen instructions.
OneSignal SSO setup page with a Configure Identity Provider button and the setup link
OneSignal SSO provider selection screen with a search box and a list of identity providers such as Okta, Entra ID, Google, and ADP
3

Test with pilot users

Pilot users can sign in using the Continue with Single Sign-On option on the login page. Username and password login stays active for everyone else during this period.
OneSignal sign-in page showing the Continue with Single Sign-On button alongside username and password fields
4

Go live

When you are ready, let support know. You can go live immediately or set a future date. Once SSO is live, all users sign in through your identity provider and username and password login is disabled.

Add users to your SSO organization

Once SSO is live, you add new team members by inviting them from the OneSignal dashboard. An org admin sends the invite, the user accepts it, and then they sign in through your identity provider. There’s no limit on the number of users in an SSO organization.
The user’s email domain must be one of the domains registered for your SSO organization. See Domain requirements below.
1

Admin invites the user

Go to Team Members, click Invite to Organization, enter the user’s email address, and assign their role. See Team Members for role options and permissions.
OneSignal Team Members page showing the Invite to Organization button
Email input form for adding a team member to the OneSignal organization
2

User accepts the invitation

The user receives an email with an Accept invitation link and clicks it.
OneSignal invitation email with Accept invitation button
3

User signs in with SSO

After accepting, the user signs in through your organization’s identity provider. They now have access to OneSignal.
OneSignal SSO login page prompting the user to authenticate through their identity provider

Domain requirements

SSO maps email domains to your organization. For example, onesignal.com covers every @onesignal.com address. An organization can register multiple domains, so you can cover several email domains under the same SSO setup. The user’s email domain must be registered under your SSO organization. If you invite someone whose domain is not registered, the invite fails with an error. To add a new domain, contact support@onesignal.com.
OneSignal error message shown when inviting a user whose email domain is not registered in the SSO organization

FAQ

How do I add or remove users?

Add and remove users from the Team Members page in the OneSignal dashboard. Provisioning and de-provisioning directly through your IdP is not currently supported.

Can I limit who can sign in with SSO?

Yes. Access is controlled at two levels, and both must grant access:
  1. Identity provider: Most IdPs (Okta, Google Workspace, Microsoft Entra ID, etc.) let you assign the OneSignal app to specific users, groups, or organizational units.
  2. OneSignal invite: Users must also be invited to your organization. Authenticating through your IdP alone is not enough.

Can I use SSO and password login at the same time?

Mixed mode isn’t officially supported. SSO is meant to be the primary login method. As a workaround, you can split apps into two organizations (one with SSO, one without). Since organizations also affect billing, contact support to plan this.

What happens if my IdP goes down?

Users with an active session can keep working. Users who need to sign in can’t until the IdP is restored.

Can I connect more than one IdP?

No. Each organization supports one IdP.

Team Members

Invite users, assign roles, and manage permissions across your organization.

Pricing

Compare plans and see which features are included at each tier.