Security
OpenID Connect SSO
Enable team login through your organization’s identity provider with OpenID Connect SSO
Allow your team members to log in using your organization’s existing identity provider such as Microsoft Entra ID (Azure AD), Google Workspace, Okta, Authentik, or Zitadel.
Enterprise Feature: OpenID Connect SSO is available exclusively on Enterprise plans. Contact our sales team to upgrade your account.
Account Owner Access: Only the account owner can configure SSO and bypass it when necessary. Team members must use SSO once enabled.
Configuration
Configure SSO in your account settings as the account owner:Enable SSO
Navigate to SSO settings:
- Go to Account Settings in your dashboard
- Scroll to OpenID Connect SSO section
- Check “Enable OpenID Connect SSO”
Configure Identity Provider
Enter your IdP details:Required Configuration:
- Configuration Type: PKCE (recommended) or Client Credentials
- Domain: Comma-separated email domains (e.g.,
yourcompany.com) - Issuer URL: Base URL from your IdP (e.g.,
https://iam.company.com) - Client ID: Provided by your identity provider
- Client Secret: Provided by your identity provider
- Requested Scopes: Space-separated scopes (defaults:
openid email profile) - Authorization Endpoint: e.g.,
https://iam.company.com/oauth/v2/authorize - Token Endpoint: e.g.,
https://iam.company.com/oauth/v2/token - Userinfo Endpoint: e.g.,
https://iam.company.com/oauth/v2/userinfo - JWKS URI: e.g.,
https://iam.company.com/oauth/v2/keys
Validate and Activate
Complete SSO setup:
- Save your configuration
- System validates the settings automatically
- SSO activates if validation is successful
How SSO Works
Once OpenID Connect SSO is activated: Team Member Access:- Must use SSO: All team members must sign in through your identity provider
- No regular login: Standard AhaSend login credentials are disabled
- Access denied: Password reset requests are blocked for team members
- SSO bypass: Can still use regular AhaSend credentials
- Password reset: Can request password resets when needed
- Full control: Can disable SSO if necessary
Team Access: Only users explicitly added as team members can access the account after SSO is enabled.
Supported Identity Providers
Microsoft Entra ID
Azure Active DirectoryPopular enterprise identity provider with comprehensive features
Google Workspace
Google Cloud IdentityIntegrated with Gmail and Google services
Okta
Enterprise SSO PlatformDedicated identity and access management
Self-Hosted Options
Authentik, ZitadelOpen-source identity providers you can host yourself
Troubleshooting
Microsoft Entra ID Configuration
Microsoft Entra ID Configuration
Common setup issues:
- Enable “Allow public client flows” in app registration
- Set platform to “Mobile and desktop applications” (not Web or Single-page)
- Verify redirect URLs match AhaSend’s requirements
Team Member Access Issues
Team Member Access Issues
Login problems:
- Verify user is added as team member in AhaSend
- Check email domain matches configured domains
- Confirm user exists in your identity provider
- Test SSO configuration with account owner first
Configuration Validation Errors
Configuration Validation Errors
Setup validation fails:
- Double-check all endpoint URLs are accessible
- Verify client ID and secret are correct
- Ensure identity provider is properly configured
- Test JWKS URI returns valid JSON