Skip to content

SSO / OIDC

Requires Pro

With single sign-on (SSO), users sign in via your central identity provider (IdP) — such as Entra ID, Keycloak, or Okta — instead of a local Notory password. Notory speaks OIDC (OpenID Connect with Authorization Code + PKCE); providers are configured per tenant. On the login screen, Notory automatically detects via e-mail discovery whether SSO is available for an account.

SSO is part of the Pro plan (feature sso). Without a suitable license, the SSO endpoints respond with 403 and the interface shows an upgrade hint. Configuration requires Administrator rights within the respective tenant; the IdP must be reachable from the server (discovery document).