Skip to main content
Single Sign-On (SSO) allows users to access Speckle using your organization’s existing identity provider. Speckle supports any OIDC identity provider.

How do you enable SSO?

Admins can enable SSO under Workspace Settings → Security.
SSO is available on the Enterprise plan.
Need help setting up SSO? We’re happy to jump on a call to walk you through the process. Contact us to schedule a meeting.
1

Create an OpenID Connect application

Set up a new web application using the OpenID Connect protocol in your identity provider’s panel. This will generate the necessary settings for Speckle.When configuring the application, use this Redirect URL (callback):
  https://app.speckle.systems/api/v1/workspaces/{workspace-short-id}/sso/oidc/callback
The value of workspace-short-id should be your workspace’s unique short id.Set the application grant type to “authorization_code” and configure these scopes:
ScopeResultant claims
openid-
profilename, given_name, family_name
emailemail
You may need to explicitly configure your identity provider to provide user emails with the email claim. Some providers, like Azure AD, will omit or obscure this information by default.
2

Configure SSO in Speckle

Fill in the SSO configuration form with details from your identity provider:
  • Provider: The label displayed on the login button in Speckle
  • Client ID: From your identity provider application
  • Client secret: Strictly confidential string of characters generated by your Identity Provider alongside the Client ID.
  • Discovery URL: The full URL where your Identity Provider’s configuration metadata is hosted, given by your identity provider application. This almost always ends in /.well-known/openid-configuration. Example: https://your-company.idp.com/.well-known/openid-configuration
3

Enable SSO

Click Add to save your SSO configuration. Once SSO is enabled, all workspace members will be required to authenticate with SSO credentials the next time they access the workspace.

When SSO is enabled

  1. Users will see your organization’s SSO option when they are invited to the workspace.
  2. Existing workspace members will be prompted to authenticate with SSO the next time they access the workspace.
  3. Users with the Guest role can still access the workspace without SSO, since this role is designed for external collaborators.
SSO provides authentication but not automatic user provisioning. Users removed from your identity provider will still be in your list of members in Speckle until a Admin in Speckle has removed them.
If your organization uses SSO, you don’t need to enable domain protection as SSO provides equivalent security controls.

Configure backchannel logout

Your Identity Provider (IdP) can automatically notify Speckle when a specific user session terminates. Upon receiving this notification, Speckle immediately logs the user out of the associated workspace. This feature helps enforce strict security policies by ensuring immediate access revocation in scenarios where a user leaves your organization or a session is compromised. To enable this feature, configure the backchannel logout URL within your IdP settings using the following endpoint: 
  https://app.speckle.systems/api/v1/workspaces/{workspace-short-id}/sso/oidc/backchannel-logout
Note: Replace {workspace-short-id} with the unique short identifier for your specific Speckle workspace.

Update SSO provider configuration

If you need to update the provider details for some reason ie.: the client secrets is about to expire, currently the graphql api needs to be used.
  1. Open the api explorer at https://app.speckle.systems/graphql
  2. Query the existing SSO provider details with the query below, it will return the details of the existing provider.
query ($slug: String!) {
  workspaceBySlug(slug: $slug) {
    id
    sso {
      provider {
        id
        clientId
        issuerUrl
        name
      }
    }
  }
}
  1. update the provider details with the mutation and the input structure detailed below.
Incorrectly updating the provider details may make your workspace inaccessible for your users. Make sure to double check the new values.
Mutation 
mutation ($input: WorkspaceSsoProviderUpdateInput!) {
  workspaceMutations {
    updateSsoProvider(input: $input)
  }
}
Input 
{
  "input": {
    "clientId": "",
    "clientSecret": "",
    "issuerUrl": "",
    "providerId": "",
    "providerName": "",
    "workspaceId": ""
  }
}
  1. the sso provider details should be updated if the mutation was successful.

FAQ

No. With SSO enabled, organizational users can access the workspace automatically through your identity provider. You do not need to send individual invitations to users within your organization.
The maximum duration of a user SSO session is 7 days in Speckle. After this, users will be required to re-authenticate through your identity provider. However, the actual session duration may be shorter if your provider terminates sessions sooner or if users log out manually (backchannel loggout). For custom session durations, you can contact us.
Last modified on April 6, 2026