> ## Documentation Index
> Fetch the complete documentation index at: https://docs.base44.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Setting up SSO for your enterprise workspace

> Connect your trusted identity provider to keep workspace access secure and simple for your team.

Single Sign-On (SSO) lets your organization's members access Base44 using your company's login credentials instead of separate passwords. When you enable SSO, your team can sign in using your organization's identity provider (such as Google or Azure), which streamlines onboarding and reduces security risks from weak or reused passwords.

<Note>
  When SSO is enabled, anyone with a verified email domain will see SSO on the login page. After they sign in, they are automatically added to the workspace with the default role you configure.
</Note>

***

## Supported SSO providers

<CardGroup cols={3}>
  <Card title="Google Workspace" icon="google" />

  <Card title="Microsoft Azure AD" icon="microsoft" />

  <Card title="Okta" icon="key" />

  <Card title="GitHub" icon="github" />

  <Card title="Any OIDC provider" icon="sliders" description="Configure manually with your client ID, client secret, and endpoints" />
</CardGroup>

***

## Setting up SSO

Connect your workspace to your identity provider by enabling SSO in your workspace settings and following the configuration steps for your provider.

<Tip>
  **Before you begin:** Find your workspace ID. You will need it during setup. Your workspace ID is the string of characters after `/workspace/` in your enterprise workspace URL.
</Tip>

**To set up SSO:**

1. Click your workspace name at the top left of your account.
2. Click **Settings**.
3. Click **Auth and security**.
4. Enable the toggle next to **Single Sign-On Configuration**.
5. Follow our guide on [Setting up SSO](/Setting-up-your-app/Setting-up-SSO) according to your identity provider.

<Warning>
  **Important:**

  When following the guide, replace the redirect URI `https://app.base44.com/api/apps/{{APP_ID}}/auth/sso/callback` with `https://app.base44.com/api/workspaces/{{WORKSPACE_ID}}/auth/sso/callback`.

  Note that `APP_ID` is replaced by `WORKSPACE_ID`, and the path `/apps/` is changed to `/workspaces/`.
</Warning>

6. Enter your details in the **SSO** section of your enterprise workspace.
7. Click **Enable SSO**.

<Tip>
  After completing setup, [test that your SSO works](/Setting-up-your-app/Setting-up-SSO#step-3--test-your-sso-login).
</Tip>

***

## Verified domains

Verified domains control which users see SSO on the login page. When you verify a domain, any user with a matching email address is prompted to sign in with SSO automatically. This includes members who have been invited to your workspace but have not yet signed in for the first time.

You can add as many domains as you need, which is useful if your organization has multiple email domains.

**To add a verified domain:**

1. Click your workspace name at the top left of your account.
2. Click **Settings**.
3. Click **Auth and security**.
4. In the **Verified Domains** section, type your domain (for example, company.org) and click **Verify**.
5. Add the DNS TXT record shown to your domain provider and wait for it to propagate.

Once verified, the domain appears in the list with a green checkmark. To remove a domain, click **Remove** next to it.

<Note>
  Adding a verified domain does not affect members already added via SCIM or invitation. It only controls SSO discovery on the login page.
</Note>

***

## Default role for new members

When a user signs in with SSO for the first time and is added to your workspace automatically, they receive the default role you configure here. This applies only to users added through just-in-time (JIT) provisioning, not to members already added via SCIM or invitation.

**To set the default role:**

1. Click your workspace name at the top left of your account.
2. Click **Settings**.
3. Click **Auth and security**.
4. Under **Default role for SSO auto-provisioned users**, select **Viewer** or **Editor** from the dropdown.

<Frame caption="Verified domains and default role settings in Auth and security">
  <img src="https://mintcdn.com/base44/qqJtK_JdWs1n2UXC/images/defaultrole.png?fit=max&auto=format&n=qqJtK_JdWs1n2UXC&q=85&s=000336767676985073f9f11af4741c83" alt="Verified domains and default role settings in Auth and security" width="1727" height="625" data-path="images/defaultrole.png" />
</Frame>

***

## Two-factor authentication (2FA)

Once you set up SSO, all members authenticate through SSO, and 2FA is handled at your identity provider (IdP) level before anyone reaches Base44.

Each individual member can optionally set up additional 2FA in their [Base44 account settings](/documentation/account-and-billing/managing-your-account), but there is no workspace-level 2FA enforcement. For enterprise deployments, 2FA is typically managed and enforced by your identity provider.

***

## Security best practices

<Card title="Enterprise security checklist" icon="shield-check">
  * **Enable and enforce workspace SSO before onboarding your team:** Ensures all members use your organization's identity provider from the start
  * **Verify your domains in workspace settings:** Required for SSO discovery. Add all email domains your team uses so members see SSO on the login page automatically.
  * **Use the IP allowlist:** Restrict workspace access to trusted networks
  * **Set default app visibility to private or workspace-only:** Prevents accidental exposure of sensitive apps
  * **Store all API keys and credentials as Secrets:** Never hardcode them in your app dashboards
</Card>

<Tip>
  For a full overview of security features available in Base44, see [Security overview](/Setting-up-your-app/security-overview).
</Tip>

***

## FAQs

Select a question below to learn more.

<AccordionGroup>
  <Accordion title="Can I enable SSO for only some members of my workspace?">
    No. Once SSO is enabled for your workspace, all members with a matching email domain are required to use SSO for login.
  </Accordion>

  <Accordion title="How do I test that SSO is working after setup?">
    Invite a colleague with the approved email domain to log in using SSO. If they can sign in and are added as a member, your SSO configuration is working.
  </Accordion>

  <Accordion title="Can I disable SSO later if my organization's needs change?">
    Yes. Workspace admins can disable SSO from **Auth and security** in your workspace settings at any time.
  </Accordion>
</AccordionGroup>