Skip to main content
You configure SSO in your workspace settings, not in an individual app’s dashboard. First create an app with your identity provider, then add its credentials to your workspace.
Before you begin: Find your workspace ID. You need it for the redirect URI. It is the string of characters after /workspace/ in your enterprise workspace URL. Your redirect URI is https://app.base44.com/api/workspaces/{{WORKSPACE_ID}}/auth/sso/callback.

Setting up your identity provider

Follow the steps for your provider to create the app and collect the values you enter in Base44.

Microsoft Entra ID

Microsoft Entra ID uses a dedicated app registration and also supports SCIM provisioning. Follow the full flow in Setting up SSO for Microsoft Entra ID.

Okta

Okta uses an OIDC app plus a couple of authorization-server settings. Follow the full flow in Setting up SSO for Okta.

Google Workspace

Create an OAuth 2.0 client in Google Cloud, then enter its credentials in Base44. To create the Google app:
  1. In the Google Cloud Console, create an OAuth 2.0 Client ID of type Web application.
  2. Under Authorized redirect URIs, add your workspace redirect URI.
  3. Copy the Client ID and Client Secret.

GitHub

Create a GitHub OAuth app, then enter its credentials in Base44. To create the GitHub app:
  1. In GitHub Developer Settings, create an OAuth app.
  2. Set the Authorization callback URL to your workspace redirect URI.
  3. Copy the Client ID and generate a Client Secret.

Other OIDC providers

Connect any OpenID Connect provider by creating a client and entering its details in Base44. To create the app:
  1. Create an OIDC client with your provider, using your workspace redirect URI.
  2. Copy the Client ID and Client Secret.
  3. Find your provider’s Discovery URL, or its individual OIDC endpoints.

Adding your credentials in Base44

Once you have your provider’s credentials, add them to your workspace. For Microsoft Entra ID and Okta, follow their dedicated guides above instead, which include this step. To add your SSO credentials:
  1. Click your workspace name at the top left of your account.
  2. Click Settings.
  3. Click Auth and security.
  4. Enable the toggle next to Single Sign-On Configuration.
  5. In Select SSO Provider, choose your provider, or Advanced / Manual Configuration for another OIDC provider.
  6. Enter your Client ID and Client Secret, and keep Scope as openid email profile.
  7. For Advanced / Manual Configuration, also add your Discovery URL or the individual endpoints from your provider.
  8. Click Enable SSO.
Members can sign in once you verify their email domain. Set up verified domains and the default role in the same Auth and security settings.

Testing your SSO login

Confirm that sign-in works before you roll SSO out to your team. The first time someone signs in, Base44 adds them to the workspace automatically with your default role. To test SSO:
  1. Log out of Base44, or open a private browser window.
  2. Go to your workspace’s login page.
  3. Enter an email address from one of your verified domains. Base44 then shows the SSO option for that domain.
  4. Click Log in with SSO and sign in through your identity provider.
  5. Confirm that you are redirected back to Base44 and added to the workspace as a member with your default role.
If sign-in fails, check that the redirect URI uses /api/workspaces/{{WORKSPACE_ID}}/..., your provider credentials are correct, and the email’s domain is verified. For provider-specific errors, see the Microsoft Entra ID or Okta guide.