Single sign-on (OIDC)
Exovo can hand authentication to your identity provider over OpenID Connect — Entra ID (Azure AD), Google Workspace, Okta, Authentik, Keycloak, or anything else that speaks OIDC. Users click one button on the sign-in page and are in, with their access governed centrally.
Configuring the provider
Admin → Integrations → SSO:
- Register Exovo as an application in your IdP, using the redirect URI shown on the page
(
https://<your-fqdn>/auth/oidc-callback). - Enter the IdP's Authority URL (issuer), Client ID and Client Secret (stored encrypted).
- Leave the scopes at
openid emailunless your IdP puts email elsewhere — the email claim field (defaultemail) is how Exovo matches the signed-in identity to a user. - Enable Show SSO button on login page.
Users are matched by email address: the IdP-asserted email must equal the email on the user's Exovo account. There's no just-in-time user creation — accounts are still created in Exovo (or via your provisioning tooling), SSO just authenticates them.
The login button
The button's label, color and icon (SVG upload) are customizable, so the sign-in page can say "Continue with Contoso ID" and look like it means it. Password login remains available alongside SSO — useful for break-glass admin access if the IdP is down.
Notes
- Users without a matching email simply can't use the SSO button; nothing is auto-provisioned.
- Disabling a user in the IdP blocks new SSO logins immediately; also disable the Exovo account to invalidate password login and active sessions.
- Pair SSO with 2FA on the remaining password accounts — the break-glass admin especially.