Single Sign-On (SSO)
Secure who can access your workspace
SSO is available on the Business plan.
Single Sign-On (SSO) allows users to access Speckle using your organization’s existing identity provider. Speckle supports any OIDC identity provider.
How do you enable SSO?
Admins can enable SSO under Workspace Settings → Security.
Need help setting up SSO? We’re happy to jump on a call to walk you through the process. Contact us to schedule a meeting.
Create an OpenID Connect application
Set up a new web application using the OpenID Connect protocol in your identity provider’s panel. This will generate the necessary settings for Speckle.
When configuring the application, use this Redirect URL (callback):
The value of workspace-short-id should be your workspace’s unique short id.
Set the application grant type to “authorization_code” and configure these scopes:
| Scope | Resultant claims |
|---|---|
| openid | - |
| profile | name, given_name, family_name |
You may need to explicitly configure your identity provider to provide user emails with the email claim. Some providers, like Azure AD, will omit or obscure this information by default.
Configure SSO in Speckle
Fill in the SSO configuration form with details from your identity provider:
- Provider: The label displayed on the login button in Speckle
- Client ID: From your identity provider application
- Client secret: From your identity provider application
- Issuer URL: Your identity provider’s issuer URL
Enable SSO
Click Add to save your SSO configuration. Once SSO is enabled, all workspace members will be required to authenticate with SSO credentials the next time they access the workspace.
When SSO is enabled
- Users will see your organization’s SSO option when they are invited to the workspace.
- Existing workspace members will be prompted to authenticate with SSO the next time they access the workspace.
- Users with the Guest role can still access the workspace without SSO, since this role is designed for external collaborators.
SSO provides authentication but not automatic user provisioning. Users removed from your identity provider will still be in your list of members in Speckle until a Admin in Speckle has removed them.
If your organization uses SSO, you don’t need to enable domain protection as SSO provides equivalent security controls.