Single Sign-On — TrueGrade Docs

SSO lets your team sign into TrueGrade using your organization’s existing identity provider. Available on Enterprise plans.

Supported Providers

Provider	Protocol
Microsoft Entra ID (Azure AD)	OIDC / SAML 2.0
Google Workspace	OIDC
Okta	OIDC / SAML 2.0
OneLogin	SAML 2.0
Generic OIDC	OIDC
Generic SAML	SAML 2.0

Setup Instructions

Microsoft Entra ID

Register an application in Azure

In the Azure portal, navigate to Azure Active Directory → App Registrations → New Registration:

Name: TrueGrade
Supported account types: Accounts in this organizational directory only
Redirect URI: https://app.truegrade.build/auth/callback/entra

Note credentials

From the app registration overview, copy:

Application (client) ID
Directory (tenant) ID

Create a client secret under Certificates & Secrets → New client secret. Copy the value immediately — it is not shown again.

Configure in TrueGrade

Navigate to Administration → Integrations → Single Sign-On → Microsoft Entra ID. Enter:

Tenant ID
Client ID
Client Secret

Click Test Connection before saving.

Assign users

In Azure, navigate to Enterprise Applications → TrueGrade → Users and Groups and assign the users or groups that should have access.

Google Workspace

Create an OAuth client in Google

In the Google Cloud Console, navigate to APIs & Services → Credentials → Create Credentials → OAuth Client ID:

Application type: Web application
Authorized redirect URI: https://app.truegrade.build/auth/callback/google

Copy credentials

Copy the Client ID and Client Secret.

Configure in TrueGrade

Navigate to Administration → Integrations → Single Sign-On → Google Workspace. Enter the Client ID and Client Secret. Click Test Connection.

Restrict to your domain

Under the Google OAuth configuration in TrueGrade, enter your Google Workspace domain to restrict login to users in your organization.

Okta

Create an Okta application

In the Okta Admin console, go to Applications → Create App Integration:

Sign-in method: OIDC
Application type: Web Application
Sign-in redirect URI: https://app.truegrade.build/auth/callback/okta

Copy credentials

Copy the Client ID and Client Secret from the application’s general settings. Note your Okta domain (e.g., yourcompany.okta.com).

Configure in TrueGrade

Navigate to Administration → Integrations → Single Sign-On → Okta. Enter the Okta domain, Client ID, and Client Secret. Click Test Connection.

Generic OIDC

For any OIDC-compatible provider not listed above:

You’ll need the following from your identity provider:

Issuer URL (e.g., https://accounts.example.com)
Client ID
Client Secret
Redirect URI to register: https://app.truegrade.build/auth/callback/oidc

Enter these values in Administration → Integrations → Single Sign-On → Generic OIDC.

Enforcing SSO

Once SSO is configured and tested, you can require all users to authenticate via SSO:

Navigate to Administration → Organization Settings → Security → SSO Enforcement → Enable.

JIT Provisioning

When SSO is active, users who authenticate for the first time via SSO are automatically provisioned in TrueGrade with the Viewer role. An Admin or Owner must promote them to an appropriate role before they can access project data.

To disable JIT provisioning and require manual user creation before first login, toggle Require manual provisioning in the SSO configuration.