Skip to main content
Single sign-on (SSO) allows your team to authenticate with Cloud Capital using your organization’s identity provider via OpenID Connect (OIDC). You can enable SSO through self-service in Organization Settings.
For a broader overview of how Cloud Capital handles authentication, data access, and security controls, see the Security page.

Prerequisites

  • You must be an organization admin in Cloud Capital.
  • You need access to your identity provider’s admin console to create an OIDC application and retrieve its configuration values.
  • You need access to your domain’s DNS settings to add a verification record.
Before configuring your identity provider, navigate to Organization Settings → SSO to find Cloud Capital’s Redirect URI. You will need the following values when creating the OIDC application in your IdP:
FieldValue
Redirect / Callback URIhttps://app.cloudcapital.co/api/v1/auth/sso/callback
Initiate Login URI (Okta)https://app.cloudcapital.co/v1/auth/sso/initiate

Set up SSO

1

Open SSO settings

Navigate to Organization Settings and select the SSO tab.
2

Configure your OIDC provider

Enter the following values from your identity provider:
  • Issuer URL — the OIDC issuer URL from your identity provider (e.g., https://accounts.google.com or https://login.microsoftonline.com/{tenant}/v2.0).
  • Client ID — the client identifier assigned to Cloud Capital in your identity provider.
  • Client Secret — the client secret generated for the Cloud Capital application.
  • Email Domain — the email domain for users who should sign in via SSO (e.g., yourcompany.com).
Cloud Capital validates that the issuer URL belongs to a recognized identity provider domain. If your organization uses a custom or vanity domain for your IdP (for example, a company-branded Okta URL like https://login.yourcompany.io/ instead of https://yourcompany.okta.com/), you may see an “Untrusted origin” error. Contact Cloud Capital support to have your domain added to the allowlist.
The SSO settings page displays Cloud Capital’s Redirect URI (https://app.cloudcapital.co/api/v1/auth/sso/callback). Make sure this value is added as an allowed redirect/callback URI in your identity provider’s OIDC application settings.
3

Verify your domain

Add the DNS record displayed in the SSO settings to your domain’s DNS configuration. This verifies that you own the domain and allows Cloud Capital to associate SSO logins with your organization.
DNS propagation can take up to 48 hours, though it typically completes within a few minutes.
4

Choose an enforcement mode

Select how SSO is enforced for your organization:
  • Optional — members can sign in with SSO or with their existing email and password. Use this while rolling out SSO or if some users need non-SSO access.
  • Required — all members must sign in through SSO. Email and password login is disabled for your organization.
5

Save your configuration

Click Save to enable SSO. Members matching your verified domain will be able to sign in using your identity provider on their next login.

User provisioning

When a user signs in via SSO for the first time, Cloud Capital automatically creates an account for them using their identity provider profile. New SSO-provisioned users are granted member permissions by default. If a user requires admin access, an existing organization admin must update their role manually after their first sign-in. To do this, navigate to Organization Settings → Members, find the user, and update their role.
Cloud Capital uses SP-initiated OIDC. Users can sign in from the Cloud Capital login page, or from an Okta app tile using the Initiate Login URI above — Okta redirects to Cloud Capital, which then starts the authorization flow. True IdP-initiated SAML (where the IdP sends an assertion without a prior request) is not supported.

Common identity providers

Most OIDC-compliant identity providers work with Cloud Capital SSO, including:
  • Google Workspace
  • Microsoft Entra ID (Azure AD)
  • Okta
  • Auth0
  • OneLogin
Refer to your identity provider’s documentation for instructions on creating an OIDC application and retrieving the issuer URL, client ID, and client secret.

Okta configuration

Okta OIDC apps require two URLs to be configured — one for the OAuth callback, and one for the Okta app tile launch. Missing the second URL means SSO works from the Cloud Capital login page but fails when users click the app icon in their Okta dashboard. In your Okta OIDC application settings, set the following:
Okta fieldValue
Sign-in redirect URIhttps://app.cloudcapital.co/api/v1/auth/sso/callback
Initiate Login URIhttps://app.cloudcapital.co/v1/auth/sso/initiate
Login flowRedirect to app to initiate login (OIDC Compliant)
The Initiate Login URI is the entry point for Okta-dashboard-launched sign-ins. Okta appends an iss query parameter identifying your Okta org, and Cloud Capital uses this to resolve your SSO configuration and start the authorization flow — ending at the same sign-in outcome as if the user had started from the Cloud Capital login page.
The Sign-out redirect URI and Callback URI fields in Okta are different things. Only the Sign-in redirect URI listed above needs to be set for Cloud Capital SSO to function.

Troubleshooting

IssueSolution
Domain verification pendingConfirm the DNS record matches the value shown in SSO settings. Allow time for DNS propagation.
Login fails after enabling SSOVerify the issuer URL, client ID, and client secret are correct. Check that https://app.cloudcapital.co/api/v1/auth/sso/callback is set as an allowed redirect URI in your identity provider.
Users not prompted for SSOEnsure enforcement is set to Required, or confirm the user’s email domain matches the verified domain.
”Untrusted origin” error on issuer URLYour IdP uses a custom or vanity domain that isn’t on Cloud Capital’s allowlist. Contact support to have it added.
Okta app tile doesn’t redirect correctlySet the Initiate Login URI in your Okta OIDC app to https://app.cloudcapital.co/v1/auth/sso/initiate and set Login flow to “Redirect to app to initiate login (OIDC Compliant)”.