Single Sign-On — overview

3 min read · Updated 12 May 2026

WBSync supports SAML 2.0 and OpenID Connect. SSO is included on the Business and Enterprise tiers, and available as a paid add-on on Field, Team and Pro. Set-up takes about 15 minutes.

Which protocol should I pick?

  • SAML 2.0 — pick this if your IdP is Okta, OneLogin, or Microsoft Entra ID (Azure AD) on a legacy app catalogue entry. SAML is the older standard, more verbose, very well supported.
  • OpenID Connect (OIDC) — pick this if your IdP is Google Workspace or you're configuring a fresh Microsoft Entra ID app from scratch. OIDC is JSON-based, modern, and the configuration is a touch simpler.

Both protocols hit the same WBSync features: JIT-provisioning of new users, enforce-for-non-owners, audit-log of every sign-in, and an Owner-only password fallback.

Before you start

  • Decide which email domain belongs to your IdP (e.g. acme.com). Users typing that domain at /accounts/login/ are auto-redirected to your IdP.
  • Have your IdP admin console open in a second tab — you'll copy two URLs between WBSync and your IdP.
  • You must be the Owner of the WBSync tenant to configure SSO.

Test before you enforce

Save a configuration with "Enable SSO for this organisation" off first. Then click "Test connection" on the settings page — that runs a real IdP round-trip without changing your active session. When the green badge appears, switch on enforce and you're done.

What next?

Pick the article for your IdP: Okta · Microsoft Entra (SAML) · Microsoft Entra (OIDC) · Google Workspace · OneLogin.

Frequently asked

Can the Owner still sign in if SSO breaks?

Yes. The Owner always retains password fallback at /accounts/login/, even with 'Require SSO for everyone except the Owner' switched on. This is the lockout escape — your IdP can go down and you still get back in to fix it.

What happens to existing users?

Their accounts are preserved. On their first SSO sign-in WBSync binds their IdP subject to the existing user row, so audit history, role and assignments carry over. If 'Require SSO for everyone except the Owner' is on (recommended), existing non-Owner users must be bound deliberately — see the JIT section.

What about new users? Do I have to invite them first?

No. JIT provisioning is on by default: the first time someone with your email domain signs in via the IdP, WBSync creates their account automatically with the role you picked on the SSO settings page (default: Foreman). You can change their role afterwards in the directory.

Is the OIDC client secret stored safely?

Yes — secrets are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256), using the same key-rotation ceremony as our third-party clock-in integrations. The plain secret is never displayed back to you; paste a new one to rotate.

What does 'Test connection' actually do?

It runs a real round-trip with your IdP, but instead of signing you in it just records the outcome on the settings page. So you can sit in WBSync as the Owner, click the button, and watch the result land — without giving up your current session.

Related

SSO setup — Okta (SAML 2.0)
Single Sign-On · 5 min
SSO setup — Microsoft Entra (SAML)
Single Sign-On · 5 min
SSO setup — Google Workspace (OIDC)
Single Sign-On · 3 min