Bring your own Identity Provider — Okta, Microsoft Entra, Google Workspace or OneLogin — and let your foremen, supers and back-office sign in with the work account they already use. SAML 2.0 and OpenID Connect. Just-in-time provisioning. Audit-log every login. Owner keeps a password fallback for the day the IdP catches fire.
Average setup time: 10 minutes. You stay signed in throughout — there's a real "Test connection" button that round-trips your IdP without ending your session.
SAML 2.0 for Okta, OneLogin or Entra ID legacy apps. OpenID Connect for Google Workspace or a fresh Entra ID app. We support both side by side.
Copy ACS / Redirect URI into your IdP. Copy IdP issuer URL, client ID, and certificate (or client secret) back into WBSync. Save.
Click Test connection. Green badge appears. Tick "Require SSO for everyone except the Owner". Your team is live on SSO at next login.
No corner-cutting on the security primitives that matter.
Each Company gets its own IdP config — no settings-driven single-IdP shortcut. Multi-tenant clean by design.
First-login creates the user with a default role you control. No invite-acceptance dance for new joiners on your tenant domain.
The Owner can always sign in with password — even with enforce on. Your lockout escape if the IdP melts.
Every SSO login + every JIT provision writes a CompanyEvent row. Visible from the directory and exportable for compliance.
OIDC client secrets stored with Fernet (AES-128-CBC + HMAC-SHA256). Versioned key rotation, never displayed back.
RelayState / OAuth state are signed timestamped tokens. PKCE S256 mandatory on OIDC. nonce-bound id_tokens.
SAML assertions verified against the IdP cert you pasted — not a global trust list. Cross-tenant assertion attacks blocked at the URL.
"Test connection" runs a real IdP round-trip and records the outcome — like Stripe's webhook test panel. No teammate-as-test-rabbit required.
Field, Team and Pro can add SSO for €99 / £85 / $109 per month (or 20% off annual). One add-on covers the whole tenant — no per-seat SSO charge.
Each guide is a copy-paste recipe — about 10 minutes including the IdP-side admin.
Non-gallery app + 5 attribute mappings.
SAML 2.0Enterprise application, non-gallery.
OIDCApp registration with client secret.
OIDCThe fastest setup — 6 minutes.
SAML 2.0SAML Custom Connector v2.
START HERESAML vs OIDC, when to enforce, security model.
Any IdP that speaks SAML 2.0 or OpenID Connect. We ship setup walkthroughs for Okta, Microsoft Entra ID, Google Workspace and OneLogin. Auth0, JumpCloud, PingFederate, Duo, Keycloak all work out of the box — same ACS / Redirect URI.
Included on Business and Enterprise. Available as an add-on on Field, Team and Pro at €99 / £85 / $109 a month, one add-on per tenant.
Between 6 and 15 minutes, depending on the IdP. Google Workspace OIDC is the fastest; SAML wire-ups take a touch longer because there are more values to round-trip.
Yes. The Owner always retains password fallback, even with enforce on. Your lockout-escape if the IdP catches fire.
Yes — JIT provisioning is on by default. First sign-in creates the user with the default role you picked.
Yes — encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256), versioned key rotation, never displayed back.
Not in v1 — JIT covers the same ground. SCIM is on the v1.1 roadmap.
Non-Owners can't password-log-in or password-reset when enforce is on. They sign in via the IdP — there's no password to reset. Owners keep the full self-serve reset flow.
Start a 30-day trial and you'll be in /settings/sso/ in under a minute. Owner-only — no further procurement required.