Skip to main content

How Do I Set Up Single Sign-On?

Single Sign-On allows your users to access Tribe using their existing company credentials, removing the need for a separate Tribe password. It is useful when your organisation already uses a central identity provider to manage access and wants to maintain that consistency across all tools. Tribe supports any identity provider that uses the OpenID Connect (OIDC) standard, including Microsoft Entra ID, Google Workspace, and other compatible providers. By following this guide, you will be able to install the SSO integration, configure your identity provider, and connect it to your Tribe environment.

Table of Contents

  • What Does Single Sign-On Do?

  • Which Identity Providers Are Supported?

  • Before You Start

  • How Do You Install The SSO Integration?

  • How Do You Configure Your Identity Provider?

  • How Do You Configure The SSO Integration In Tribe?

  • Can You Set Up SSO For Multiple Email Domains?


What Does Single Sign-On Do?

Single Sign-On allows users to authenticate once through your organisation's identity provider and gain access to Tribe automatically. Rather than maintaining separate login credentials for Tribe, users log in with the same account they use across your other business tools.

SSO also enables you to enforce Multi-Factor Authentication (MFA) through your identity provider and manage user access centrally, making it easier to add or remove access when people join or leave your organisation.


Which Identity Providers Are Supported?

Tribe supports any identity provider that implements the OpenID Connect (OIDC) standard. Commonly used providers include Microsoft Entra ID (formerly Azure Active Directory), Google Workspace, Auth0, Okta, and Keycloak.

Did you know? If your provider supports OpenID Connect, it will work with Tribe, even if it is not listed above. Use the Custom provider option when configuring the integration.


Before You Start

Before configuring SSO, ensure you have:

  • Administrator access to your identity provider

  • Permission to create an OpenID Connect application within that provider

  • Access to install integrations in your Tribe environment

You will need the following redirect URI when setting up your identity provider application:

https://auth.tribecrm.nl/strategy/openidconnect/callback


How Do You Install The SSO Integration?

  1. Go to the Tribe Marketplace at https://marketplace.tribecrm.eu/.

  2. Search for SSO.

  3. Click Install.
    You are redirected to your Tribe environment and the SSO integration opens automatically.

  4. Click Activate.

The integration now appears under Installed Integrations.


How Do You Configure Your Identity Provider?

Create a new OpenID Connect (OIDC) application in your identity provider's administration portal. Although each provider has a different interface, the required settings are generally the same.

Configure the following in your identity provider:

  • Redirect URI: https://auth.tribecrm.nl/strategy/openidconnect/callback

  • Flow: Authorisation Code

  • Client Secret: generate one and copy the value

Once the application is created, your identity provider will give you the credentials needed to complete the setup in Tribe.

The table below shows which values to collect depending on your provider:

Provider

Values to collect

Microsoft Entra ID

Tenant ID, Application (Client) ID, Client Secret

Google Workspace

Application (Client) ID, Client Secret

Custom / other provider

Application (Client) ID, Client Secret, OpenID Connect Discovery URL

Note: For Google Workspace, the OpenID Connect Discovery URL is https://accounts.google.com/.well-known/openid-configuration.

For other providers, this URL is sometimes called the Metadata URL or Well-Known URL, check your provider's documentation.

Additional Resources

The exact steps for creating an OpenID Connect application differ depending on your identity provider. If you need more detailed instructions, refer to the official documentation below.

Microsoft Entra ID

Microsoft provides a step-by-step guide for configuring OpenID Connect (OIDC) applications in Microsoft Entra ID:

Google Workspace

For Google Workspace, you'll first need to create an OAuth 2.0 application in Google Cloud. Google provides documentation for creating OAuth clients and configuring OpenID Connect:

If you're using another OpenID Connect-compatible identity provider, refer to your provider's documentation for creating an OpenID Connect (OIDC) application. You'll typically need to configure:

  • Redirect URI

  • Client ID (Application ID)

  • Client Secret

  • OpenID Connect Discovery (Known) URL


How Do You Configure The SSO Integration In Tribe?

  1. Navigate to Installed Integrations.

  2. Select the SSO integration.

  3. Select your identity provider: Microsoft Entra ID, Google, or Custom.

  4. Complete the fields for your chosen provider using the values collected from your identity provider.

  5. Click Test & Save to validate the connection and save the set up.

The required fields vary by provider:

Microsoft Entra ID

Field

Required

Email domain

Optional — leave empty to use as the default configuration

Tenant ID

Required

Application ID

Required

Secret

Required

Google Workspace

Field

Required

Email domain

Optional — leave empty to use as the default configuration

Application ID

Required

Secret

Required

Custom OpenID Connect Provider

Field

Required

Provider name

Required

Email domain

Optional — leave empty to use as the default configuration

Application ID

Required

Secret

Required

Known URL

Required

Note: The Known URL is the OpenID Connect Discovery URL provided by your identity provider. Check your provider's documentation if you are unsure where to find it. It is sometimes called the Metadata URL or Well-Known URL.


Can You Set Up SSO For Multiple Email Domains?

Yes. If your organisation has users on different email domains — for example, because you operate multiple entities or have acquired another company — you can set up a separate SSO configuration for each domain. Each configuration is linked to a specific email domain, and Tribe automatically routes each user to the correct identity provider based on the domain in their email address.

To set up multiple domain configurations, repeat the identity provider and Tribe configuration steps once for each domain. Enter the relevant email domain in the Email domain field for each configuration.

One configuration must be designated as the default. To do this, leave the Email domain field empty for that configuration. The default is used as a fallback for any user whose email domain does not match a specific configuration.

Note: If your organisation only has a single email domain, leave the Email domain field empty. Tribe will use that configuration for all users.


Quick Summary

Single Sign-On connects Tribe to your organisation's identity provider, allowing users to log in with their existing company credentials. To set it up, install the SSO integration from the Tribe Marketplace, create an OpenID Connect application in your identity provider, and enter the required credentials in the Tribe integration settings. If your organisation uses multiple email domains, Tribe supports separate SSO configurations per domain, with one designated as the default fallback.

Did this answer your question?