Set Up SSO with Google or Microsoft

BEST PRACTICESIMPLEMENTATIONOPENFRAMESECURITY

Phase 1 — Account & Workspace Setup · Step 1

Section

June 25, 2026

Published

Vladislav Marchenko

Vladislav Marchenko

Head Of Marketing

Passwords are a liability. Every standalone login your team creates is one more credential to leak, reuse, or forget. Wire OpenFrame up to the identity provider you already run — Google Workspace or Microsoft 365 — and your team signs in with the accounts they already have, with your existing MFA and offboarding in place.

Do this early. The sooner SSO is on, the fewer one-off passwords ever get created.


Before you start

  • You need an Admin role in OpenFrame.
  • Decide which path you want (both are covered below):
    • Shared SSO — the fast path. Let anyone on your email domain sign in through OpenFrame's shared Google/Microsoft apps. No OAuth app to create.
    • Your own OAuth app — the controlled path. You register OpenFrame in your own Google or Microsoft tenant and paste in the credentials. More setup, more control.
  • For the OAuth-app path, you'll need access to your Google Cloud Console or Microsoft Entra (Azure AD) admin to create an app and copy a Client ID and Client Secret.

Where to find it

Left nav → SettingsSSO Configuration. You'll land on the SSO Configurations page, which has two parts: a shared-SSO banner at the top, and a provider table (Google SSO and Microsoft SSO) below.


Option A — Shared SSO (the fast path)

At the top of the page there's a panel: OpenFrame Google & Microsoft SSO. It lets any account on your email domain sign in through OpenFrame's shared Google or Microsoft providers — no OAuth app required on your end.

  1. Find the Auto-provision accounts from <yourdomain> checkbox on the right of that panel.
  2. Tick it. From now on, anyone with an email on your domain (e.g. @yourmsp.com) can sign in via Google or Microsoft, and OpenFrame creates their account automatically on first sign-in.

That's it. The trade-off: auto-provisioning means anyone on your domain can get in. If you want to control exactly who has access, use Option B instead (or leave auto-provision off and invite people manually — see Invite Your Team to OpenFrame).

Heads up: auto-provisioned users land with a default role. Review new accounts under Employees & Permissions so nobody sits with more access than they need.


Option B — Bring your own OAuth app (the controlled path)

This is the route most established MSPs want: OpenFrame authenticates against an app you own in Google or Microsoft, so you control the client, the secret, and which domains are allowed.

In the provider table, find Google SSO or Microsoft SSO and click Edit. The Edit SSO Configuration dialog has everything you need:

1. Copy the redirect URL into your IdP

At the top you'll see Authorized redirect URL for your SSO provider settings with a copy button. Copy it.

Over in your identity provider — Google Cloud Console (OAuth client) or Microsoft Entra (app registration) — create an OAuth app and paste this exact URL into its authorized redirect / callback field.

This is the #1 thing people get wrong. The callback URL has to match exactly. One trailing slash off and sign-in fails with an opaque error. Copy-paste it; don't type it.

2. Paste in your credentials

Back in OpenFrame, fill in:

  • OAuth Client ID — from the app you just created
  • Client Secret — also from that app (use the eye icon to confirm you pasted it correctly)

Enter these yourself — they're sensitive, so don't share your screen while you do it, and never hand a Client Secret to anyone who doesn't need it.

3. Set your domain allowlist

On the right, under Domain Allowlist, you can turn on Auto-provision accounts from domain — automatically create accounts for people signing in through this provider. Leave it off if you'd rather invite people one by one and keep a tight guest list.

4. Save and enable

Click Save & Enable. The provider's Status flips from Inactive to Active, and its Configuration column shows Configured. Test it by signing in with an SSO account (an incognito window is the easy way).


Reading the provider table

Each row tells you the state at a glance:

  • StatusActive means people can log in with it right now; Inactive means it's off.
  • Allowed Domains — which email domains this provider accepts (None until you set one).
  • ConfigurationConfigured means credentials are saved; Not configured means it's still empty.

You can run Google and Microsoft side by side — handy if part of your team is on Workspace and part on 365.


Quick checklist

  • Decided between shared SSO and your own OAuth app
  • (Shared) Enabled auto-provision for your domain, or
  • (Own app) Pasted the redirect URL into your IdP exactly, added Client ID + Secret, set the allowlist, hit Save & Enable
  • Confirmed the provider shows Active
  • Test-signed-in with an SSO account in a fresh browser session
  • Reviewed auto-provisioned accounts under Employees & Permissions

What's next

With SSO live, bring your team on board — head to Invite Your Team to OpenFrame to add people and set their roles. Then you're done with Phase 1 and ready to start deploying devices.


Based on OpenFrame v0.9.19. Screens and defaults may shift between releases — when in doubt, what's in your console wins.

Vladislav Marchenko

Head Of Marketing

Hi all! My name is Vlad and I’ve been brought on to head the marketing team at Flamingo. Thankfully, this isn’t the first time I will be building a marketing department from scratch, so the experience should come in handy. Now it’s time to dive into the world of MSPs and find myself in this new world.

Related Content

Product Releases

Webinars

Case Studies

Blog Posts

Frequently Asked Questions

MSP AI Agents

Yes. In production MSP shops today, 10% to 25% of tickets close before a human opens them. Thread alone has processed 173 million tickets across 750-plus MSP partners at 96% triage accuracy, handing back 490,000-plus technician hours. Agents own the low-risk, high-volume work (password resets, MFA enrollment, known installs, onboarding and offboarding) and flag anything that touches production data or needs judgment for a human to take.
On a five-person desk, reported deployments show $78,000 to $130,000 in annual direct labor savings, roughly 30% fewer escalations, and 15% to 20% better SLA compliance. Broader MSP adoption data adds ticket handling time cut by 45% and five to 12 points of margin, all from reclaimed capacity rather than headcount cuts.

AI MSP

Start with a readiness assessment, not a tool purchase. Confirm your ticket history is clean and your RMM, PSA, and monitoring systems connect. Then pick one high-volume, low-risk workflow, usually ticket triage, and pilot it on internal tickets before any client sees it.
Automate high-volume, low-risk tasks first. Ticket triage and alert noise reduction top the list because they run constantly and a human still resolves the underlying issue. Save security approvals, billing changes, and client-facing actions for later, always with a human in the loop.

AI Safety

It can be, with governance. Keep a human in the loop on high-risk actions, log every automated step for audit, and choose platforms that keep your data yours with no vendor lock-in. Pilot on internal data first so you catch issues before client systems are involved.

AI for MSPs

Set a baseline before rollout, then track tickets closed per technician, mean time to resolution, percentage of tickets resolved with no human touch, technician hours reclaimed, and cost per ticket. AI-driven automation commonly cuts operational cost per ticket by 25 to 40%.

About OpenFrame

OpenFrame isn't built to plug into your stack. It replaces it. Instead of duct-taping a dozen tools together (RMM, MDM, SIEM, patching, remote access, each its own login and bill), we bundle it into one unified platform: RMM, MDM, monitoring, automation, remote access, patch management, security monitoring, and ticketing, plus built-in AI copilots. So "does it integrate with X?" usually means: you won't need X anymore.

Password Manager

Yes. Passbolt's Community edition is free under the AGPLv3 license with unlimited users, but you self-host it yourself. Paid Pro and Cloud tiers, starting around $5.40 per user monthly with a 10-seat minimum, add LDAP, SSO, and audit logs.

Open Source SIEM

Yes, Wazuh is free and open source with no per-agent or ingestion fees at any scale. The license costs nothing, but self-managed deployments still pay for log storage, infrastructure, and the engineering labor to tune and maintain the platform.

Endpoint Security

Bitdefender GravityZone is a cloud-native endpoint protection platform that combines prevention, EDR, and XDR in one agent and console. For MSPs, it adds multi-tenant management, so one team can protect and monitor every client's endpoints from a single dashboard.