Skip to main content
SSO is available on the Enterprise plan.
Single Sign-On (SSO) allows users to access Speckle using your organization’s existing identity provider. Speckle supports any OIDC identity provider.

How do you enable SSO?

Admins can enable SSO under Workspace Settings → Security.
Need help setting up SSO? We’re happy to jump on a call to walk you through the process. Contact us to schedule a meeting.
1

Create an OpenID Connect application

Set up a new web application using the OpenID Connect protocol in your identity provider’s panel. This will generate the necessary settings for Speckle.When configuring the application, use this Redirect URL (callback):
  https://app.speckle.systems/api/v1/workspaces/{workspace-short-id}/sso/oidc/callback
The value of workspace-short-id should be your workspace’s unique short id.Set the application grant type to “authorization_code” and configure these scopes:
ScopeResultant claims
openid-
profilename, given_name, family_name
emailemail
You may need to explicitly configure your identity provider to provide user emails with the email claim. Some providers, like Azure AD, will omit or obscure this information by default.
2

Configure SSO in Speckle

Fill in the SSO configuration form with details from your identity provider:
  • Provider: The label displayed on the login button in Speckle
  • Client ID: From your identity provider application
  • Client secret: From your identity provider application
  • Issuer URL: Your identity provider’s issuer URL
3

Enable SSO

Click Add to save your SSO configuration. Once SSO is enabled, all workspace members will be required to authenticate with SSO credentials the next time they access the workspace.

When SSO is enabled

  1. Users will see your organization’s SSO option when they are invited to the workspace.
  2. Existing workspace members will be prompted to authenticate with SSO the next time they access the workspace.
  3. Users with the Guest role can still access the workspace without SSO, since this role is designed for external collaborators.
SSO provides authentication but not automatic user provisioning. Users removed from your identity provider will still be in your list of members in Speckle until a Admin in Speckle has removed them.
If your organization uses SSO, you don’t need to enable domain protection as SSO provides equivalent security controls.

Update SSO provider configuration

If you need to update the provider details for some reason ie.: the client secrets is about to expire, currently the graphql api needs to be used.
  1. Open the api explorer at https://app.speckle.systems/graphql
  2. Query the existing SSO provider details with the query below, it will return the details of the existing provider.
query ($slug: String!) {
  workspaceBySlug(slug: $slug) {
    id
    sso {
      provider {
        id
        clientId
        issuerUrl
        name
      }
    }
  }
}
  1. update the provider details with the mutation and the input structure detailed below.
Incorrectly updating the provider details may make your workspace inaccessible for your users. Make sure to double check the new values.
Mutation 
mutation($input: WorkspaceSsoProviderUpdateInput!) {
  workspaceMutations {
    updateSsoProvider(input: $input)
  }
}
Input 
{
  "input": {
    "clientId": "",
    "clientSecret": "",
    "issuerUrl": "",
    "providerId": "",
    "providerName": "",
    "workspaceId": ""
  }
}
  1. the sso provider details should be updated if the mutation was successful.

FAQ

No. With SSO enabled, organizational users can access the workspace automatically through your identity provider. You do not need to send individual invitations to users within your organization.
Last modified on March 4, 2026