Single sign-on (SSO)

Single sign-on (SSO) is available on the Enterprise plan. Please speak to a member of the Count team to discuss enabling SSO for your workspace.

Configuring SSO for your workspace

Count supports OIDC SSO, and is compatible with a broad range of identity providers. See the following pages for more help on the configuration steps required for your provider:

pageOktapageEntra IDpageJumpCloudpageGooglepageGeneric OIDC

Domain verification

SSO only becomes active once ownership of the appropriate domains has been proven. After adding an SSO domain, a unique verification code is generated.

Add this code to your DNS records and select Verify to confirm ownership of the domain. This step is usually quick, but in some cases can take up to 72 hours.

Once SSO has been configured for a workspace, the email domain whitelist in the workspace settings will have no effect, and the SSO domain list will take precedence.

SSO options

Once SSO is configured and at least one domain has been verified, there are several options to further customise behaviour.

Enforce SSO

If SSO is enforced, users will only be able to access this workspace and its resources if they have most recently signed in using SSO.

Public canvases are still visible to everyone if SSO is enforced, but will only be editable if the viewer has signed in using SSO.

Workspace owners can always log in using any method, regardless of this setting. If you encounter an issue signing in using SSO, contact your workspace owner to resolve the issue.

Automatic provisioning

If this setting is enabled, any user signing in with an email address at one of the verified domains will automatically be added to this workspace with a member role.


Can I configure multiple workspaces with the same SSO domain?

Yes, though workspace members may be prompted to sign in again through the configured SSO provider when changing workspaces. If a member has recently signed in using the SSO provider, then this step is usually immediate.

How are my SSO credentials stored? Who can access them?

Your client secret and event hook secret are encrypted, and only ever accessible by workspace owners. The client secret is never delivered to the Count application, so is only accessible from your SSO provider.

What if I need to update my SSO application?

If you delete or change the SSO application used by Count, update the details from the Count SSO settings page as soon as possible, otherwise workspace members will be unable to sign in to your workspace using SSO.

If you need to temporarily relax SSO restrictions, disable the Enforce SSO option and workspace members will be able to access the workspace by signing in using other methods.

Last updated