👤 This Article is for 10KC Team members.
Follow the steps below to implement Single-Sign-On.
Create and share a self-guided setup link. This link will allow the admin to complete SSO setup on their own.
Test Single-Sign-On. This verifies if SSO is working.
Adjust tenant sign-up and login preferences. Setup the tenant for access via SSO only, Magic Link only, or both.
Create and share a self-guided SSO setup link
Identify the customer's SSO platform (typically: MS Entra ID, Google, Okta, PingOne, OneLogin).
Gather all company email domains (e.g., tenthousandcoffees.com)
Generate a self-guided setup link in WorkOS to share with the customer's SSO admin. This link will allow the admin to complete SSO setup on their own
To generate the setup link need to be an admin in WorkOS, follow the steps below. If you aren't an admin, please submit a request in #product-support.
Sign-in to WorkOS with your 10KC Google credentials
Make sure you've selected the "Production" option in the menu in the top left corner. Then, navigate to the Organizations section to see all the current organizations with SSO or User Directory integrations.
Create a new organization.
Next, add the customer's name and email domains.
After creating the Organization, go to the 'Invite an admin to set up this organization' section and click on "Invite Admin". Choose "Single-Sign On" under "Features" and click "Next".
Click "Copy setup link".
Share this setup link with the SSO admin using the email template below. Don't forget to CC [email protected]!
Email template for SSO admin to setup SSO
Subject: IT Support Needed: 10KC Platform SSO Integration Setup
Single-Sign-On
Use this <<self-guided setup link>> to begin. The link expires in 30 days.
Setup instructions are viewable in article format here, but please use the self-guided setup link above for easier setup.
After your setup is complete, the 10KC team will finalize configuration and we'll test with several users.
Enable Single-Sign-On button on the tenant
1. Navigate to Tenant Admin area, then click on "Security & Login" on the left hand menu.
2. Under "Enable single-sign on (SSO)", click on "Add connection".
3. Add your Display Name, Organization ID, Connection ID, Connection Type, and email domains. When finished, click on Save.
4. Now you should see the SSO connection is Active.
Adjust Tenant Sign-up and Login Preferences
Restricting sign-ups and logins to SSO only for a tenant
1. Navigate to the Tenant Admin section and then going to the "Security & Login" section.
2. Next, make sure you the "enable email login" switch is turned OFF, and "enable SSO login" and "enable SSO signup" are turned ON.
Enabling sign-ups and logins to SSO plus Email (Magic Link) for a tenant
1. Navigate to the Tenant Admin section and then going to the "Security & Login" section.
2. Next, make sure the "enable email login" switch is turned ON, and "enable SSO login" and "enable SSO signup" are turned ON.
Test Single-Sign-On
You can see if SSO setup is complete if the SSO connection is active in WorkOS. In the example below we can see that a SSO connection is active with Entra ID for the client organization APi Group.
Once the SSO button is live on the tenant, you need to ask the client to get some people to try signing-in. You can use the email template below.
Email template for SSO admin to get users to try signing-in
Hi {Name}, we're now ready to test SSO. Please ask 2-3 users who should have access to your 10KC tenant to try signing via SSO in by going to tenant.tenthousandcoffees.com/login.