SSO / Single Sign-On

This guide walks you through setting up single sign-on (SSO) for your Obvious workspace so your team can sign in with your company's identity provider.

SSO lets your team use one set of credentials — the same ones they use for email, Slack, and everything else — to sign in to Obvious. Instead of managing separate passwords, everyone authenticates through your identity provider (like Okta, Azure AD, or Google Workspace). One login, one place to manage access.

What you need before you start

• Workspace Admin access in Obvious

• A Team plan or above — SSO is available on Team plan and above. It also requires the feature to be enabled for your workspace — contact help@obvious.ai if you're on a Team plan and don't see the SSO option.

• An identity provider that supports OIDC — Okta, Azure AD (Entra ID), Google Workspace, OneLogin, Auth0, and most providers that support OpenID Connect work with Obvious

• Four things from your identity provider: Issuer URL, Client ID, Client Secret, and (optionally) a Discovery Endpoint

Note: Obvious uses the OpenID Connect (OIDC) protocol for SSO. If your provider only supports SAML, check whether it also offers an OIDC option — most do.

Set up SSO

SSO setup involves two places: your identity provider (Okta, Azure AD, etc.) and Obvious. You or your IT team create the OIDC application in your identity provider — the Obvious agent can't do that part for you. But the agent can help you prepare.

Tip: Ask the agent to help you identify the required fields, confirm redirect URIs, and sanity-check your configuration values before you enter them. Try something like: "Help me prepare the SSO values I need for Okta" — the agent walks you through what to gather and validates what you've got.

Step 1: Create an OIDC application in your identity provider

In your identity provider's admin console, create a new OIDC (OpenID Connect) application. You'll need to set the redirect URI to https://app.obvious.ai and note the following values once the app is created:

• Issuer URL — usually something like https://login.acme.com/realms/main or https://accounts.google.com

• Client ID

• Client Secret

• Discovery Endpoint (optional — most providers auto-discover this from the Issuer URL)

Your identity provider's documentation has specific steps for creating OIDC applications. If you're not sure where to find these values, ask the agent — it can help you figure out what to look for based on your provider.

Step 2: Add the provider in Obvious

1. Open Settings → Workspace → Single Sign-On.

2. Click Add SSO Provider. A form opens with the following fields.

3. Enter a Provider ID — a short, unique name for this connection (e.g., acme-okta). This is just a label to help you identify the provider later.

4. Enter your company's Email Domain (e.g., acme.com). Anyone who signs in with an email address on this domain will be routed through SSO.

5. Enter the OIDC Issuer URL from your identity provider.

6. Enter the Client ID and Client Secret from the OIDC application you created in Step 1.

7. Optionally, enter the Discovery Endpoint and JWKS Endpoint. Most providers auto-discover these from the Issuer URL, but you can specify them explicitly if needed.

8. Leave Enable PKCE checked — it's on by default and recommended for most providers.

9. Click Add Provider.

Your provider appears in the SSO settings list with a Disabled badge and an Unverified badge. Both are expected — you'll enable it after verifying your domain.

Verify your domain

Before SSO goes live, Obvious needs to confirm that you own the email domain you entered. This prevents someone from claiming a domain they don't control.

1. In the SSO provider card, click Verify Domain.

2. Obvious gives you a DNS TXT record — a Host/Name and a Value. Click Copy to copy the value.

3. Add this TXT record to your domain's DNS settings. (Your IT team or domain registrar can help with this if you're not sure how.)

4. Wait for the DNS record to propagate. This can take anywhere from a few minutes to 48 hours.

5. Come back to Settings → Workspace → Single Sign-On and click Check Verification.

Once verified, the badge changes to Domain Verified.

Tip: If verification seems stuck, ask the agent to help you troubleshoot — it can sanity-check your TXT record values and flag common formatting issues like trailing periods or incorrect hostnames.

Enable SSO

After your domain is verified:

1. Click Enable on your SSO provider card.

The badge changes to Enabled. Members with email addresses on that domain are now routed through your identity provider when they sign in.

What changes for your team

• Sign-in flow — When a team member with a matching email domain signs in to Obvious, they're redirected to your identity provider. They authenticate there, then land back in Obvious. No separate Obvious password needed.

• New members — Anyone with a verified domain email can sign in through SSO. They'll be added to the workspace automatically.

• Existing members — Members who already have Obvious accounts continue as normal. Their next sign-in routes through SSO instead of email and password.

• Non-matching domains — Members whose email addresses don't match the SSO domain (contractors, consultants, partners) still sign in the usual way. SSO only applies to the domain you configured.

Warning: If you enforce SSO and later delete the provider, users on that domain won't be able to sign in until you add a new provider or disable enforcement. Export your provider details before deleting.

Managing SSO providers

From Settings → Workspace → Single Sign-On, you can:

• Enable or disable a provider without deleting it — useful for testing or temporary rollbacks

• Delete a provider entirely — users on that domain lose SSO access and fall back to standard sign-in

• Add multiple providers for different domains if your organization uses more than one identity provider

If something isn't working

• "Failed to fetch SSO providers" — Check that you're a Workspace Admin. SSO settings require admin access.

• Domain verification stuck — DNS propagation can take up to 48 hours. If it's been longer, double-check the TXT record values match exactly — including any trailing periods your DNS provider may add.

• Users not redirected to SSO — Confirm the provider is Enabled (not just added) and the email domain matches exactly. SSO only routes users whose email domain matches the one you configured.

• Identity provider rejects the connection — Verify that the Issuer URL, Client ID, and Client Secret are correct. Check that the redirect URI in your identity provider includes https://app.obvious.ai.

• Still stuck? — Ask the agent to help you troubleshoot. Describe the error or symptom and it can help you narrow down the issue. For anything it can't resolve, contact help@obvious.ai.

Next steps

• Roles & Permissions — Control what team members can access after they sign in

• Audit Logs — Track sign-in activity and workspace changes

• Workspace Settings — Manage other workspace-level configuration