Single Sign-On allows your users to access Tribe using their existing company credentials, removing the need for a separate Tribe password. It is useful when your organisation already uses a central identity provider to manage access and wants to maintain that consistency across all tools. Tribe supports any identity provider that uses the OpenID Connect (OIDC) standard, including Microsoft Entra ID, Google Workspace, and other compatible providers. By following this guide, you will be able to install the SSO integration, configure your identity provider, and connect it to your Tribe environment.
Table of Contents
What Does Single Sign-On Do?
Which Identity Providers Are Supported?
Before You Start
How Do You Install The SSO Integration?
How Do You Configure Your Identity Provider?
How Do You Configure The SSO Integration In Tribe?
Can You Set Up SSO For Multiple Email Domains?
What Does Single Sign-On Do?
Single Sign-On allows users to authenticate once through your organisation's identity provider and gain access to Tribe automatically. Rather than maintaining separate login credentials for Tribe, users log in with the same account they use across your other business tools.
SSO also enables you to enforce Multi-Factor Authentication (MFA) through your identity provider and manage user access centrally, making it easier to add or remove access when people join or leave your organisation.
Which Identity Providers Are Supported?
Tribe supports any identity provider that implements the OpenID Connect (OIDC) standard. Commonly used providers include Microsoft Entra ID (formerly Azure Active Directory), Google Workspace, Auth0, Okta, and Keycloak.
Did you know? If your provider supports OpenID Connect, it will work with Tribe, even if it is not listed above. Use the Custom provider option when configuring the integration.
Before You Start
Before configuring SSO, ensure you have:
Administrator access to your identity provider
Permission to create an OpenID Connect application within that provider
Access to install integrations in your Tribe environment
You will need the following redirect URI when setting up your identity provider application:
https://auth.tribecrm.nl/strategy/openidconnect/callback
How Do You Install The SSO Integration?
Go to the Tribe Marketplace at
https://marketplace.tribecrm.eu/.Search for SSO.
Click Install.
You are redirected to your Tribe environment and the SSO integration opens automatically.Click Activate.
The integration now appears under Installed Integrations.
How Do You Configure Your Identity Provider?
Create a new OpenID Connect (OIDC) application in your identity provider's administration portal. Although each provider has a different interface, the required settings are generally the same.
Configure the following in your identity provider:
Redirect URI:
https://auth.tribecrm.nl/strategy/openidconnect/callbackFlow: Authorisation Code
Client Secret: generate one and copy the value
Once the application is created, your identity provider will give you the credentials needed to complete the setup in Tribe.
The table below shows which values to collect depending on your provider:
Provider | Values to collect |
Microsoft Entra ID | Tenant ID, Application (Client) ID, Client Secret |
Google Workspace | Application (Client) ID, Client Secret |
Custom / other provider | Application (Client) ID, Client Secret, OpenID Connect Discovery URL |
Note: For Google Workspace, the OpenID Connect Discovery URL is https://accounts.google.com/.well-known/openid-configuration.
For other providers, this URL is sometimes called the Metadata URL or Well-Known URL, check your provider's documentation.
Additional Resources
The exact steps for creating an OpenID Connect application differ depending on your identity provider. If you need more detailed instructions, refer to the official documentation below.
Microsoft Entra ID
Microsoft provides a step-by-step guide for configuring OpenID Connect (OIDC) applications in Microsoft Entra ID:
Google Workspace
For Google Workspace, you'll first need to create an OAuth 2.0 application in Google Cloud. Google provides documentation for creating OAuth clients and configuring OpenID Connect:
If you're using another OpenID Connect-compatible identity provider, refer to your provider's documentation for creating an OpenID Connect (OIDC) application. You'll typically need to configure:
Redirect URI
Client ID (Application ID)
Client Secret
OpenID Connect Discovery (Known) URL
How Do You Configure The SSO Integration In Tribe?
Navigate to Installed Integrations.
Select the SSO integration.
Select your identity provider: Microsoft Entra ID, Google, or Custom.
Complete the fields for your chosen provider using the values collected from your identity provider.
Click Test & Save to validate the connection and save the set up.
The required fields vary by provider:
Microsoft Entra ID
Field | Required |
Email domain | Optional — leave empty to use as the default configuration |
Tenant ID | Required |
Application ID | Required |
Secret | Required |
Google Workspace
Field | Required |
Email domain | Optional — leave empty to use as the default configuration |
Application ID | Required |
Secret | Required |
Custom OpenID Connect Provider
Field | Required |
Provider name | Required |
Email domain | Optional — leave empty to use as the default configuration |
Application ID | Required |
Secret | Required |
Known URL | Required |
Note: The Known URL is the OpenID Connect Discovery URL provided by your identity provider. Check your provider's documentation if you are unsure where to find it. It is sometimes called the Metadata URL or Well-Known URL.
Can You Set Up SSO For Multiple Email Domains?
Yes. If your organisation has users on different email domains — for example, because you operate multiple entities or have acquired another company — you can set up a separate SSO configuration for each domain. Each configuration is linked to a specific email domain, and Tribe automatically routes each user to the correct identity provider based on the domain in their email address.
To set up multiple domain configurations, repeat the identity provider and Tribe configuration steps once for each domain. Enter the relevant email domain in the Email domain field for each configuration.
One configuration must be designated as the default. To do this, leave the Email domain field empty for that configuration. The default is used as a fallback for any user whose email domain does not match a specific configuration.
Note: If your organisation only has a single email domain, leave the Email domain field empty. Tribe will use that configuration for all users.
Quick Summary
Single Sign-On connects Tribe to your organisation's identity provider, allowing users to log in with their existing company credentials. To set it up, install the SSO integration from the Tribe Marketplace, create an OpenID Connect application in your identity provider, and enter the required credentials in the Tribe integration settings. If your organisation uses multiple email domains, Tribe supports separate SSO configurations per domain, with one designated as the default fallback.
