> ## Documentation Index > Fetch the complete documentation index at: https://ahasend.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # OpenID Connect SSO > Enable team login through your organization's identity provider with OpenID Connect SSO Allow your team members to log in using your organization's existing identity provider such as Microsoft Entra ID (Azure AD), Google Workspace, Okta, Authentik, or Zitadel. **Max plan Feature:** OpenID Connect SSO is available exclusively on the [Max plan](https://ahasend.com/pricing). **Account Owner Access:** Only the account owner can configure SSO and bypass it when necessary. Team members must use SSO once enabled. ## Configuration Configure SSO in your account settings as the account owner: **Navigate to SSO settings:** 1. **Go to** **Account Settings** in your dashboard 2. **Scroll to** **OpenID Connect SSO** section 3. **Check** "Enable OpenID Connect SSO" **Enter your IdP details:** **Required Configuration:** * **Configuration Type:** PKCE (recommended) or Client Credentials * **Domain:** Comma-separated email domains (e.g., `yourcompany.com`) * **Issuer URL:** Base URL from your IdP (e.g., `https://iam.company.com`) * **Client ID:** Provided by your identity provider * **Client Secret:** Provided by your identity provider **Optional Settings:** * **Requested Scopes:** Space-separated scopes (defaults: `openid email profile`) * **Authorization Endpoint:** e.g., `https://iam.company.com/oauth/v2/authorize` * **Token Endpoint:** e.g., `https://iam.company.com/oauth/v2/token` * **Userinfo Endpoint:** e.g., `https://iam.company.com/oauth/v2/userinfo` * **JWKS URI:** e.g., `https://iam.company.com/oauth/v2/keys` **Complete SSO setup:** 1. **Save** your configuration 2. **System validates** the settings automatically 3. **SSO activates** if validation is successful ## How SSO Works Once OpenID Connect SSO is activated: **Team Member Access:** * **Must use SSO:** All team members must sign in through your identity provider * **No regular login:** Standard AhaSend login credentials are disabled * **Access denied:** Password reset requests are blocked for team members **Account Owner Access:** * **SSO bypass:** Can still use regular AhaSend credentials * **Password reset:** Can request password resets when needed * **Full control:** Can disable SSO if necessary **Team Access:** Only users explicitly added as team members can access the account after SSO is enabled. ## Supported Identity Providers **Azure Active Directory** Popular enterprise identity provider with comprehensive features **Google Cloud Identity** Integrated with Gmail and Google services **Enterprise SSO Platform** Dedicated identity and access management **Authentik, Zitadel** Open-source identity providers you can host yourself ## Troubleshooting **Common setup issues:** * **Enable** "Allow public client flows" in app registration * **Set platform** to "Mobile and desktop applications" (not Web or Single-page) * **Verify** redirect URLs match AhaSend's requirements **Login problems:** * **Verify** user is added as team member in AhaSend * **Check** email domain matches configured domains * **Confirm** user exists in your identity provider * **Test** SSO configuration with account owner first **Setup validation fails:** * **Double-check** all endpoint URLs are accessible * **Verify** client ID and secret are correct * **Ensure** identity provider is properly configured * **Test** JWKS URI returns valid JSON