GuideEnterprise

SSO Setup Guide

This guide provides step-by-step instructions for configuring SSO with the three most common identity providers. For other IdPs, see the SSO reference for the generic SAML and OIDC values.

Okta (SAML)

  1. In Okta Admin, go to Applications → Create App Integration
  2. Select SAML 2.0 and click Next
  3. Set App name to "FORG"
  4. Set Single sign-on URL to https://forg.pro/auth/saml/callback
  5. Set Audience URI (SP Entity ID) to https://forg.pro/auth/saml
  6. Set Name ID format to EmailAddress
  7. Add attribute statements:
    • emailuser.email
    • first_nameuser.firstName
    • last_nameuser.lastName
  8. Click Next → Finish
  9. On the Sign On tab, click View IdP metadata and copy the URL
  10. In FORG Dashboard → Settings → SSO, paste the metadata URL and set the email domain

Azure Active Directory (OIDC)

  1. In Azure Portal, go to Azure Active Directory → App registrations → New registration
  2. Set name to "FORG" and select Accounts in this organizational directory only
  3. Set Redirect URI to https://forg.pro/auth/oidc/callback
  4. Click Register and note the Application (client) ID
  5. Go to Certificates & secrets → New client secret, create a secret and copy the value
  6. In FORG Dashboard → Settings → SSO → Add OIDC Provider:
    • Discovery URL: https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
    • Client ID: (from step 4)
    • Client Secret: (from step 5)
    • Email domains: your domain(s)

Google Workspace (OIDC)

  1. In Google Cloud Console, go to APIs & Services → Credentials → Create Credentials → OAuth client ID
  2. Select Web application
  3. Add https://forg.pro/auth/oidc/callback as an authorized redirect URI
  4. Note the Client ID and Client Secret
  5. In FORG Dashboard → Settings → SSO → Add OIDC Provider:
    • Discovery URL: https://accounts.google.com/.well-known/openid-configuration
    • Client ID and Secret from step 4
    • Email domains: your Google Workspace domain(s)

Testing and enabling enforcement

  1. After saving the SSO configuration, click Test connection. This opens a pop-up SSO login. Complete the flow and verify the test passes.
  2. Invite a test user with a matching email domain and verify they can log in via SSO.
  3. Once confirmed working, go to Settings → SSO → Enforcement and set to Required to block all non-SSO logins for your domain.
Tip: Keep at least one admin account on a different email domain (e.g., an emergency access account at a separate domain) before enabling enforcement. This prevents lockout if the IdP has an outage.
© 2026 UpgradIQ, Inc.Edit this page on GitHub