Connect Your Identity Provider (Advanced SSO)

IMPLEMENTATIONINTEGRATIONOPENFRAMESECURITY

Phase 8 — Integrations · Step 1

Section

June 23, 2026

Published

Vladislav Marchenko

Vladislav Marchenko

Head Of Marketing

Connect Your Identity Provider (Advanced SSO)

Phase 8 — Integrations · OpenFrame Onboarding

Back in Phase 1 you turned on SSO at the basic level. This guide is the admin-grade version: wiring OpenFrame directly to your own Google Workspace or Microsoft Entra identity provider with your organization's OAuth credentials, restricting who can get in by domain, and auto-provisioning accounts on first sign-in. This is how you make OpenFrame log in the same way as the rest of your stack.


Before you start

  • You need an Admin role.
  • Have access to your IdP's admin console — Google Cloud Console (for Google) or Microsoft Entra ID / Azure AD (for Microsoft) — where you can create an OAuth app and get a Client ID and Client Secret.
  • Decide which domains are allowed to sign in (e.g. yourmsp.com).

Where it lives

Go to Settings → SSO Configuration. You'll see the SSO Configurations page with:

  • A shared OpenFrame Google & Microsoft SSO option at the top — lets any account from your domain sign in via OpenFrame's shared providers, with an Auto-provision accounts toggle (creates user accounts automatically on first sign-in).
  • A list of OAuth providersGoogle SSO and Microsoft SSO — each showing its Status (active/inactive), Allowed Domains, and whether it's Configured. Use Edit to set one up with your own credentials.

The shared option is the quick path; connecting your own provider (below) is the advanced, fully-controlled path.


Connect your own provider

Click Edit on Google SSO or Microsoft SSO. In the Edit SSO Configuration modal:

  1. Copy the Authorized redirect URL. OpenFrame shows the exact callback URL (e.g. https://openframe.ai/sas/login/oauth…). Paste it into your IdP's OAuth app as an authorized redirect URI. It must match exactly — authentication fails if it's off by even a trailing slash.
  2. Create the OAuth app in your IdP (if you haven't) and copy its credentials back here:
    • OAuth Client ID — paste the client ID from Google Cloud / Microsoft Entra.
    • Client Secret — paste the secret (use the eye icon to verify it pasted cleanly).
  3. Set the Domain Allowlist (optional but recommended). Toggle Auto-provision accounts from domain to automatically create OpenFrame accounts for users from your allowed domain on their first sign-in — no manual invites needed.
  4. Click Save & Enable. This saves the credentials and flips the provider from INACTIVE to active. Your team can now sign in through it.

Auto-provisioning & domain control

Two layers decide who gets an account:

  • Domain allowlist — restricts sign-in to your trusted domains, so a random Google account can't get in.
  • Auto-provision — when on, a matching user who signs in for the first time gets an OpenFrame account created automatically (handy at scale; turn it off if you'd rather invite people deliberately, per Invite Your Team, Phase 1).

Enforcing SSO

Once your provider is enabled and tested, SSO becomes the front door for your org. Verify a test user can sign in through the provider before you rely on it as the only path, so you don't lock anyone out. Keep at least one Admin able to get in while you roll it out.


Quick checklist

  • Opened Settings → SSO Configuration
  • Copied the Authorized redirect URL into your IdP's OAuth app (exact match)
  • Pasted the OAuth Client ID and Client Secret from Google/Microsoft
  • Set the Domain Allowlist and chose whether to auto-provision
  • Clicked Save & Enable and confirmed the provider is active
  • Tested a real sign-in before enforcing SSO org-wide

What's next

With identity handled, wire up the rest of your automation: API Keys & External Integrations covers generating keys for external systems and the API/webhooks that let other tools talk to OpenFrame.


Based on OpenFrame v0.9.19. SSO providers and fields evolve between releases, and exact IdP steps differ by provider — what's in your console (and your IdP's docs) wins.

Vladislav Marchenko

Head Of Marketing

Hi all! My name is Vlad and I’ve been brought on to head the marketing team at Flamingo. Thankfully, this isn’t the first time I will be building a marketing department from scratch, so the experience should come in handy. Now it’s time to dive into the world of MSPs and find myself in this new world.

Related Content

Product Releases

Webinars

Case Studies

Blog Posts

Frequently Asked Questions

MSP AI Agents

Yes. In production MSP shops today, 10% to 25% of tickets close before a human opens them. Thread alone has processed 173 million tickets across 750-plus MSP partners at 96% triage accuracy, handing back 490,000-plus technician hours. Agents own the low-risk, high-volume work (password resets, MFA enrollment, known installs, onboarding and offboarding) and flag anything that touches production data or needs judgment for a human to take.
On a five-person desk, reported deployments show $78,000 to $130,000 in annual direct labor savings, roughly 30% fewer escalations, and 15% to 20% better SLA compliance. Broader MSP adoption data adds ticket handling time cut by 45% and five to 12 points of margin, all from reclaimed capacity rather than headcount cuts.

AI Safety

It can be, with governance. Keep a human in the loop on high-risk actions, log every automated step for audit, and choose platforms that keep your data yours with no vendor lock-in. Pilot on internal data first so you catch issues before client systems are involved.

About OpenFrame

OpenFrame isn't built to plug into your stack. It replaces it. Instead of duct-taping a dozen tools together (RMM, MDM, SIEM, patching, remote access, each its own login and bill), we bundle it into one unified platform: RMM, MDM, monitoring, automation, remote access, patch management, security monitoring, and ticketing, plus built-in AI copilots. So "does it integrate with X?" usually means: you won't need X anymore.

Password Manager

Yes. Passbolt's Community edition is free under the AGPLv3 license with unlimited users, but you self-host it yourself. Paid Pro and Cloud tiers, starting around $5.40 per user monthly with a 10-seat minimum, add LDAP, SSO, and audit logs.

Open Source SIEM

Yes, Wazuh is free and open source with no per-agent or ingestion fees at any scale. The license costs nothing, but self-managed deployments still pay for log storage, infrastructure, and the engineering labor to tune and maintain the platform.

Endpoint Security

Bitdefender GravityZone is a cloud-native endpoint protection platform that combines prevention, EDR, and XDR in one agent and console. For MSPs, it adds multi-tenant management, so one team can protect and monitor every client's endpoints from a single dashboard.
Yes, for MSPs that want one vendor across endpoint, firewall, and managed detection. Sophos Central Partner gives true multi-tenant control, and MSP Connect Flex bills monthly by usage. Plan around occasional CPU spikes on busy servers and a console learning curve.

RMM Automation

Yes. Connected to your RMM over a webhook or API, an AI agent reads each alert, enriches it with device and history, and opens a pre-filled ticket in your helpdesk when human attention is needed, routed to the right board and priority.

Sophos XDR

Sophos XDR is extended detection and response built on Intercept X. It correlates telemetry from endpoints, the Sophos firewall, email, cloud, and identity inside Sophos Central, then lets technicians hunt across that data with Live Discover queries.