Enable SSO
Admins can enable SSO under Settings -> Security. Workspace members can see this section, but only workspace admins can change these controls. In Settings -> Security, this control appears in the Single Sign-On section.SSO is available on the Enterprise plan.
Need help setting up SSO? We’re happy to jump on a call to walk you through the process. Contact
us to schedule a meeting.
1
Create an OpenID Connect application
Set up a new web application using the OpenID Connect protocol in your identity provider’s panel. This will generate the necessary settings for Speckle.When configuring the application, use this Redirect URL (callback):The value of
workspace-short-id should be your workspace’s unique short id.Set the application grant type to “authorization_code” and configure these scopes:2
Configure SSO in Speckle
Fill in the SSO configuration form with details from your identity provider:
- Provider: The label displayed on the login button in Speckle
- Client ID: From your identity provider application
- Client secret: Strictly confidential string of characters generated by your Identity Provider alongside the Client ID.
- Discovery URL: The full URL where your Identity Provider’s configuration metadata is hosted, given by your identity provider application. This almost always ends in
/.well-known/openid-configuration. Example:https://your-company.idp.com/.well-known/openid-configuration
3
Enable SSO
Click Add to save your SSO configuration. Once SSO is enabled, all workspace members will be required to authenticate with SSO credentials the next time they access the workspace.
When SSO is enabled
- Users will see your organization’s SSO option when they are invited to the workspace.
- Existing workspace members will be prompted to authenticate with SSO the next time they access the workspace.
- Users with the Guest role can still access the workspace without SSO, since this role is designed for external collaborators.
If your organization uses SSO, you don’t need to enable domain
protection as SSO provides equivalent security controls.
Configure backchannel logout
Your Identity Provider (IdP) can automatically notify Speckle when a specific user session terminates. Upon receiving this notification, Speckle immediately logs the user out of the associated workspace. This feature helps enforce strict security policies by ensuring immediate access revocation in scenarios where a user leaves your organization or a session is compromised. To enable this feature, configure the backchannel logout URL within your IdP settings using the following endpoint:{workspace-short-id} with the unique short identifier for your specific Speckle workspace.
Update SSO provider configuration
If you need to update the provider details for some reason ie.: the client secrets is about to expire, currently the graphql api needs to be used.- Open the api explorer at https://app.speckle.systems/graphql
- Query the existing SSO provider details with the query below, it will return the details of the existing provider.
- update the provider details with the mutation and the input structure detailed below.
- the sso provider details should be updated if the mutation was successful.
FAQ
With SSO enabled, do users still need an invite?
With SSO enabled, do users still need an invite?
Existing workspace members can sign in with SSO without a new invite. First-time users still
need a workspace invite so they can be granted a workspace role and access.
Why can a user sign in with SSO but still not access the workspace?
Why can a user sign in with SSO but still not access the workspace?
SSO authenticates identity, but workspace access still depends on workspace membership and role
assignment. If a user has no workspace role, they cannot access workspace content even after
successful SSO authentication.
Are Guests required to authenticate with SSO?
Are Guests required to authenticate with SSO?
Not always. In current behavior, Guests can still access invited projects without being forced
through the same SSO session requirement as workspace Members.
For how long will users be logged in with SSO?
For how long will users be logged in with SSO?
The maximum duration of a user SSO session is 7 days in Speckle. After this, users will be
required to re-authenticate through your identity provider. However, the actual session duration
may be shorter if your provider terminates sessions sooner or if users log out manually
(backchannel loggout). For custom session durations, you can contact us.
Can we get Multi-Factor Authentication (MFA)?
Can we get Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) is an authentication method that requires two or more
verification factors, such as something you know (password), something you have (authenticator
app or hardware token), or something you are (biometric). MFA is managed through your SSO
identity provider. Speckle offers user account verification at registration, but not a
standalone MFA flow outside your identity provider.