SSO: supported identity providers and setup

Overview

SiteDetour supports Single Sign-On via OpenID Connect (OIDC) on top of OAuth 2.0. If your identity provider speaks OIDC, you can configure SiteDetour to delegate authentication to it. This article covers the overall flow and the IdPs SiteDetour has built-in driver support for.

Plan requirement

SSO is available on Business and Enterprise plans. On lower tiers the SSO configuration page is read-only.

Supported identity providers

SiteDetour ships first-class driver integrations for:

• Azure AD / Microsoft Entra ID
• Okta Workforce Identity

For other OIDC-compliant providers (Google Workspace, OneLogin, Ping, Auth0, Keycloak, Google Cloud Identity, etc.), the generic OIDC driver can be configured by providing a discovery URL and client credentials. Contact support if your IdP doesn't appear in the driver dropdown.

What you need from your IdP

Every SSO setup requires the same three values from your IdP:

• Client ID — the public identifier of the application you register in your IdP for SiteDetour.
• Client Secret — the secret that authenticates SiteDetour to the IdP when exchanging authorization codes.
• Base URL / Issuer / Tenant URL — the OIDC discovery root for your organization (e.g. https://your-tenant.okta.com or https://login.microsoftonline.com/{tenant-id}/v2.0).

What you need to give your IdP

Your IdP needs the SiteDetour Reply URL (also called Redirect URI or Callback URL). SiteDetour generates a unique reply URL per organization; you'll find it on the SSO configuration page.

Generic setup flow

1. In your IdP, register a new application / enterprise app for SiteDetour. Register it as an OIDC / Web application.
2. Add the SiteDetour reply URL as the allowed redirect URI.
3. Copy the Client ID, generate a Client Secret, and note the issuer/base URL.
4. In SiteDetour, open SSO. Pick the matching Driver from the dropdown (Azure AD, Okta Workforce Identity, or generic).
5. Paste in Client ID, Client Secret, and Base URL.
6. Toggle Enabled on.
7. Click Save.

User provisioning

SiteDetour does not auto-create users from the IdP's directory. Every user who will sign in via SSO must first be invited to the SiteDetour organization on the Organization page. This is deliberate: permission level (Owner/Admin/Edit/Read) is stored in SiteDetour, not in the IdP.

Signing in via SSO

SSO users visit sitedetour.com/login/sso and enter their email. SiteDetour looks up the matching organization and redirects them to the configured IdP. On successful IdP authentication, SiteDetour signs them in.

Azure AD specifics

For the Azure-specific walkthrough (creating the Enterprise App, generating secrets, configuring the reply URL), see Enabling SSO for Azure AD.

Troubleshooting

• "User not found" after successful IdP login. The email returned by the IdP must match a user invited to the SiteDetour Organization page. Check for case mismatch or subdomain differences.
• "Invalid redirect URI" from IdP. Copy the reply URL from SiteDetour verbatim, including case. Some IdPs are strict.
• Token exchange fails. Regenerate the client secret, paste in again, save.

Next steps

• Enabling SSO for Azure AD
• Enabling MFA
• Managing users