Single sign-on (SSO)
Let users sign in with your company identity provider
Connect your SAML 2.0 or OpenID Connect identity provider (Okta, Microsoft Entra ID, Google Workspace, OneLogin, Ping…) so your team signs in with their corporate credentials. Available on the Enterprise plan. User accounts can be created automatically on first login (just-in-time provisioning).
Setting up SSO
- Open Company Settings → Single sign-on
- Choose your protocol (SAML 2.0 or OpenID Connect)
- For SAML: paste your IdP metadata URL (or the metadata XML). For OIDC: enter the discovery URL, client ID and client secret
- In the Email domains section, add each domain your users sign in with (e.g. acme-corp.com)
- Publish the shown DNS TXT record for that domain, then click "Verify"
- Toggle "Enable SSO login" and click "Save configuration"
Why domain verification?
A domain is only routed to your identity provider after you prove you own it via a DNS TXT record. This prevents anyone else from claiming your domain and is required before SSO discovery will work for your users.
Login policy options
Just-in-time provisioning auto-creates a user (with the default role you choose) on their first successful SSO login. "Require SSO" blocks password login for users on a verified SSO domain — recommended once SSO is working, so corporate identity is the single source of truth (NIST 800-63).
How users sign in
On the sign-in page users enter their work email and click "Sign in with SSO". They are redirected to your identity provider and back into FreeMaint once authenticated — no FreeMaint password needed.
FreeMaint never stores your IdP secrets: they are held by the dedicated, self-hosted identity broker. All SAML assertion validation and signature-wrapping defense are handled there.
Related articles
Was this page helpful?