SSO / OIDC
Requires Pro
With single sign-on (SSO), users sign in via your central identity provider (IdP) — such as Entra ID, Keycloak, or Okta — instead of a local Notory password. Notory speaks OIDC (OpenID Connect with Authorization Code + PKCE); providers are configured per tenant. On the login screen, Notory automatically detects via e-mail discovery whether SSO is available for an account.
In this section
Section titled “In this section”- How do I set up SSO/OIDC for a tenant? — creating a provider, redirect URI, JIT provisioning and group-to-role mapping
- How does e-mail discovery work? — why the login screen shows the SSO button automatically
- Does local sign-in still work? — fallback, emergency access, and SSO-only accounts
Requirements
Section titled “Requirements”SSO is part of the Pro plan (feature sso). Without a suitable license, the SSO
endpoints respond with 403 and the interface shows an upgrade hint. Configuration
requires Administrator rights within the respective tenant; the IdP must be
reachable from the server (discovery document).
Related topics
Section titled “Related topics”- Tenants — SSO providers apply per tenant
- Users & Roles — roles for JIT-provisioned accounts
- Getting Started — Signing in — the login screen from a user’s perspective