OAuth 2.0 / OpenID Connect SSO Setup
This guide covers how to configure OAuth 2.0 or OpenID Connect (OIDC) Single Sign-On with Zenovay. For provider-specific instructions, see the guides for Okta, Microsoft Entra ID, or Auth0.
SSO requires a Scale or Enterprise plan and Owner or Admin permissions.
Choosing Between OAuth 2.0 and OpenID Connect
| Feature | OAuth 2.0 | OpenID Connect |
|---|---|---|
| Auto-discovery | No — you enter all URLs manually | Yes — Zenovay fetches configuration from the issuer URL |
| ID Token verification | Not applicable | Automatic via JWKS |
| Best for | IdPs without OIDC support | Modern IdPs (Okta, Entra ID, Auth0, Keycloak) |
If your identity provider supports OpenID Connect, choose OIDC — it provides stronger security with automatic ID token verification and simpler configuration via auto-discovery.
Zenovay Configuration Value
Copy this value into your identity provider's application configuration:
| Setting | Value |
|---|---|
| Redirect URI / Callback URL | https://auth.zenovay.com/api/sso/oauth/callback |
OAuth 2.0 Setup
Step 1: Create an OAuth Application in Your IdP
- In your identity provider, create a new OAuth 2.0 application
- Set the application type to Web Application
- Enter the redirect URI:
https://auth.zenovay.com/api/sso/oauth/callback - Note the Client ID and Client Secret provided by your IdP
Step 2: Collect IdP Values
You will need the following values from your identity provider:
| Value | Description |
|---|---|
| Client ID | Application identifier assigned by your IdP |
| Client Secret | Application secret assigned by your IdP |
| Authorization URL | URL where users are sent to authenticate |
| Token URL | URL where Zenovay exchanges the authorization code for tokens |
| User Info URL | URL where Zenovay retrieves user profile information |
Step 3: Add Provider in Zenovay
- Sign in to Zenovay as an Owner or Admin
- Go to Settings > Authentication > SSO
- Click Add SSO Provider
- Select OAuth 2.0 as the protocol
- Enter a name for the provider
- Fill in all five values from Step 2
- Click Save
OpenID Connect Setup
Step 1: Create an OIDC Application in Your IdP
- In your identity provider, create a new OpenID Connect application
- Set the application type to Web Application
- Enter the redirect URI:
https://auth.zenovay.com/api/sso/oauth/callback - Ensure the following scopes are granted:
openid,email,profile - Note the Client ID and Client Secret provided by your IdP
Step 2: Collect IdP Values
You will need the following values:
| Value | Description |
|---|---|
| Client ID | Application identifier assigned by your IdP |
| Client Secret | Application secret assigned by your IdP |
| Issuer URL | Your IdP's OIDC issuer URL (used for auto-discovery) |
The Issuer URL is used to automatically discover your IdP's authorization, token, user info, and JWKS endpoints via the .well-known/openid-configuration document. You do not need to enter these URLs manually.
Step 3: Add Provider in Zenovay
- Sign in to Zenovay as an Owner or Admin
- Go to Settings > Authentication > SSO
- Click Add SSO Provider
- Select OpenID Connect as the protocol
- Enter a name for the provider
- Fill in the three values: Client ID, Client Secret, and Issuer URL
- Click Save
Domain Verification
After adding an OAuth 2.0 or OIDC provider, verify your email domain:
- In the SSO provider settings, click Add Domain
- Enter your email domain (e.g.,
company.com) - Follow the domain verification steps
- Once verified, users with that email domain will be directed to this SSO provider
Testing the Connection
- Open an incognito/private browser window
- Go to auth.zenovay.com
- Enter an email address from your verified domain
- You should be redirected to your identity provider
- Sign in with your IdP credentials
- You should be redirected back to the Zenovay dashboard
Security Features
Zenovay automatically applies these security measures for OAuth/OIDC connections:
- PKCE (Proof Key for Code Exchange) — protects the authorization code exchange
- State parameter — cryptographically signed to prevent CSRF attacks
- Nonce validation (OIDC) — prevents token replay attacks
- ID token verification (OIDC) — validates tokens using the IdP's JWKS endpoint
Enforcing SSO
Once testing is successful:
- Go to Settings > Authentication > SSO
- Toggle Enforce SSO to on
- All team members with your verified domain will be required to sign in via SSO
Before enforcing SSO, ensure at least one Owner account can still sign in via email/password as a backup in case of an IdP outage.
Need Help?
- See the SSO Troubleshooting Guide for common errors
- Email: [email protected]
- Enterprise Support: [email protected]