Connect Your Identity Provider (Advanced SSO)
Phase 8 — Integrations · OpenFrame Onboarding
Back in Phase 1 you turned on SSO at the basic level. This guide is the admin-grade version: wiring OpenFrame directly to your own Google Workspace or Microsoft Entra identity provider with your organization's OAuth credentials, restricting who can get in by domain, and auto-provisioning accounts on first sign-in. This is how you make OpenFrame log in the same way as the rest of your stack.
Before you start
- You need an Admin role.
- Have access to your IdP's admin console — Google Cloud Console (for Google) or Microsoft Entra ID / Azure AD (for Microsoft) — where you can create an OAuth app and get a Client ID and Client Secret.
- Decide which domains are allowed to sign in (e.g.
yourmsp.com).
Where it lives
Go to Settings → SSO Configuration. You'll see the SSO Configurations page with:
- A shared OpenFrame Google & Microsoft SSO option at the top — lets any account from your domain sign in via OpenFrame's shared providers, with an Auto-provision accounts toggle (creates user accounts automatically on first sign-in).
- A list of OAuth providers — Google SSO and Microsoft SSO — each showing its Status (active/inactive), Allowed Domains, and whether it's Configured. Use Edit to set one up with your own credentials.
The shared option is the quick path; connecting your own provider (below) is the advanced, fully-controlled path.
Connect your own provider
Click Edit on Google SSO or Microsoft SSO. In the Edit SSO Configuration modal:
- Copy the Authorized redirect URL. OpenFrame shows the exact callback URL (e.g.
https://openframe.ai/sas/login/oauth…). Paste it into your IdP's OAuth app as an authorized redirect URI. It must match exactly — authentication fails if it's off by even a trailing slash. - Create the OAuth app in your IdP (if you haven't) and copy its credentials back here:
- OAuth Client ID — paste the client ID from Google Cloud / Microsoft Entra.
- Client Secret — paste the secret (use the eye icon to verify it pasted cleanly).
- Set the Domain Allowlist (optional but recommended). Toggle Auto-provision accounts from domain to automatically create OpenFrame accounts for users from your allowed domain on their first sign-in — no manual invites needed.
- Click Save & Enable. This saves the credentials and flips the provider from INACTIVE to active. Your team can now sign in through it.
Auto-provisioning & domain control
Two layers decide who gets an account:
- Domain allowlist — restricts sign-in to your trusted domains, so a random Google account can't get in.
- Auto-provision — when on, a matching user who signs in for the first time gets an OpenFrame account created automatically (handy at scale; turn it off if you'd rather invite people deliberately, per Invite Your Team, Phase 1).
Enforcing SSO
Once your provider is enabled and tested, SSO becomes the front door for your org. Verify a test user can sign in through the provider before you rely on it as the only path, so you don't lock anyone out. Keep at least one Admin able to get in while you roll it out.
Quick checklist
- Opened Settings → SSO Configuration
- Copied the Authorized redirect URL into your IdP's OAuth app (exact match)
- Pasted the OAuth Client ID and Client Secret from Google/Microsoft
- Set the Domain Allowlist and chose whether to auto-provision
- Clicked Save & Enable and confirmed the provider is active
- Tested a real sign-in before enforcing SSO org-wide
What's next
With identity handled, wire up the rest of your automation: API Keys & External Integrations covers generating keys for external systems and the API/webhooks that let other tools talk to OpenFrame.
Based on OpenFrame v0.9.19. SSO providers and fields evolve between releases, and exact IdP steps differ by provider — what's in your console (and your IdP's docs) wins.
