Single Sign-On

SSO lets your team sign into TrueGrade using your organization’s existing identity provider. Available on Enterprise plans.

Supported Providers

Provider	Protocol
Microsoft Entra ID (Azure AD)	OIDC / SAML 2.0
Google Workspace	OIDC
Okta	OIDC / SAML 2.0
OneLogin	SAML 2.0
Generic OIDC	OIDC
Generic SAML	SAML 2.0

Setup Instructions

Microsoft Entra ID

Register an application in Azure

In the Azure portal, navigate to Azure Active Directory → App Registrations → New Registration:

Name: TrueGrade
Supported account types: Accounts in this organizational directory only
Redirect URI: https://app.truegrade.build/auth/callback/entra

Note credentials

From the app registration overview, copy:

Application (client) ID
Directory (tenant) ID

Create a client secret under Certificates & Secrets → New client secret. Copy the value immediately — it is not shown again.

Configure in TrueGrade

Navigate to Administration → Integrations → Single Sign-On → Microsoft Entra ID. Enter:

Tenant ID
Client ID
Client Secret

Click Test Connection before saving.

Assign users

In Azure, navigate to Enterprise Applications → TrueGrade → Users and Groups and assign the users or groups that should have access.

Google Workspace

Create an OAuth client in Google

In the Google Cloud Console, navigate to APIs & Services → Credentials → Create Credentials → OAuth Client ID:

Application type: Web application
Authorized redirect URI: https://app.truegrade.build/auth/callback/google

Copy credentials

Copy the Client ID and Client Secret.

Configure in TrueGrade

Navigate to Administration → Integrations → Single Sign-On → Google Workspace. Enter the Client ID and Client Secret. Click Test Connection.

Restrict to your domain

Under the Google OAuth configuration in TrueGrade, enter your Google Workspace domain to restrict login to users in your organization.

Okta

Create an Okta application

In the Okta Admin console, go to Applications → Create App Integration:

Sign-in method: OIDC
Application type: Web Application
Sign-in redirect URI: https://app.truegrade.build/auth/callback/okta

Copy credentials

Copy the Client ID and Client Secret from the application’s general settings. Note your Okta domain (e.g., yourcompany.okta.com).

Configure in TrueGrade

Navigate to Administration → Integrations → Single Sign-On → Okta. Enter the Okta domain, Client ID, and Client Secret. Click Test Connection.

Generic OIDC

For any OIDC-compatible provider not listed above:

You’ll need the following from your identity provider:

Issuer URL (e.g., https://accounts.example.com)
Client ID
Client Secret
Redirect URI to register: https://app.truegrade.build/auth/callback/oidc

Enter these values in Administration → Integrations → Single Sign-On → Generic OIDC.

Enforcing SSO

Once SSO is configured and tested, you can require all users to authenticate via SSO:

Navigate to Administration → Organization Settings → Security → SSO Enforcement → Enable.

When enabled:

Password-based login is disabled for all non-admin users
Users who attempt to log in with a password are redirected to the SSO flow
Admin and Platform Admin users retain password login as an emergency fallback

Test SSO thoroughly with a non-admin account before enabling enforcement. If SSO misconfiguration locks out all users, contact support@truegrade.build for emergency access recovery.

JIT Provisioning

When SSO is active, users who authenticate for the first time via SSO are automatically provisioned in TrueGrade with the Field User role (the most restricted role). An Admin must promote them to an appropriate role before they can access additional project data.

To disable JIT provisioning and require manual user creation before first login, toggle Require manual provisioning in the SSO configuration.