Single Sign-On (SSO) Setup
Single Sign-On allows your team members to authenticate with Zenovay using your organization's identity provider (IdP). Instead of managing separate passwords, users sign in through your existing corporate identity system.
SSO is available on the Scale and Enterprise plans. You must be an organization Owner or Admin to configure SSO.
Supported Protocols
Zenovay supports three industry-standard SSO protocols:
| Protocol | Best For | Auto-Discovery |
|---|---|---|
| SAML 2.0 | Enterprise IdPs (Okta, Entra ID, Google Workspace) | No |
| OAuth 2.0 | Custom or social identity providers | No |
| OpenID Connect | Modern IdPs with OIDC support (Auth0, Okta, Entra ID) | Yes |
Zenovay Service Provider Configuration
When configuring your identity provider, you will need the following Zenovay values:
For SAML 2.0
| Setting | Value |
|---|---|
| SP Entity ID / Audience URI | https://auth.zenovay.com |
| ACS URL (Assertion Consumer Service) | https://auth.zenovay.com/api/sso/saml/callback |
| NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
For OAuth 2.0 / OpenID Connect
| Setting | Value |
|---|---|
| Redirect URI / Callback URL | https://auth.zenovay.com/api/sso/oauth/callback |
Prerequisites
Before setting up SSO, ensure you have:
- A Scale or Enterprise plan — SSO is not available on Free or Pro plans
- Admin access to both Zenovay and your identity provider
- A verified domain — your email domain must be verified in Zenovay Settings
- Identity provider credentials — you will need specific values from your IdP (see protocol-specific guides)
Setup Process Overview
Setting up SSO follows the same general steps regardless of your identity provider:
- Add a new SSO provider in Zenovay at Settings > Authentication > SSO
- Choose your protocol (SAML 2.0, OAuth 2.0, or OpenID Connect)
- Configure your identity provider with the Zenovay SP values listed above
- Enter IdP values into Zenovay (Entity ID, SSO URL, certificate, etc.)
- Verify your domain to link it to the SSO provider
- Test the connection by signing in with a test user
- Enforce SSO (optional) to require all team members to use SSO
Protocol Guides
Choose the protocol that matches your identity provider:
- SAML 2.0 Setup Guide — for SAML-based identity providers
- OAuth 2.0 / OpenID Connect Setup Guide — for OAuth or OIDC-based identity providers
Provider-Specific Guides
Step-by-step instructions for popular identity providers:
Troubleshooting
Having issues? See the SSO Troubleshooting Guide for common errors and solutions.
How SSO Login Works
Once SSO is configured, the login flow works as follows:
- User navigates to auth.zenovay.com and enters their email address
- Zenovay detects the email domain is linked to an SSO provider
- User is redirected to your identity provider's login page
- User authenticates with your IdP (password, MFA, etc.)
- IdP sends an authentication response back to Zenovay
- Zenovay verifies the response and signs the user in
- User is redirected to the Zenovay dashboard
SSO Enforcement
After testing SSO successfully, you can enforce it for your organization:
- Optional — team members can use SSO or email/password login
- Required — all team members must sign in via SSO (recommended for security)
Before enforcing SSO, make sure at least one Owner account can still sign in via email/password as a backup. This prevents lockout if there is an IdP outage.
Need Help?
- Email: [email protected]
- Enterprise Support: [email protected]