Skip to main content
Single sign-on (SSO) allows your team to authenticate with Cloud Capital using your organization’s identity provider via OpenID Connect (OIDC). You can enable SSO through self-service in Organization Settings.
For a broader overview of how Cloud Capital handles authentication, data access, and security controls, see the Security page.

Prerequisites

  • You must be an organization admin in Cloud Capital.
  • You need access to your identity provider’s admin console to create an OIDC application and retrieve its configuration values.
  • You need access to your domain’s DNS settings to add a verification record.
Before configuring your identity provider, navigate to Organization Settings → SSO to find Cloud Capital’s Redirect URI (https://app.cloudcapital.co/api/v1/auth/sso/callback). You will need this when creating the OIDC application in your IdP.

Set up SSO

1

Open SSO settings

Navigate to Organization Settings and select the SSO tab.
2

Configure your OIDC provider

Enter the following values from your identity provider:
  • Issuer URL — the OIDC issuer URL from your identity provider (e.g., https://accounts.google.com or https://login.microsoftonline.com/{tenant}/v2.0).
  • Client ID — the client identifier assigned to Cloud Capital in your identity provider.
  • Client Secret — the client secret generated for the Cloud Capital application.
  • Email Domain — the email domain for users who should sign in via SSO (e.g., yourcompany.com).
Cloud Capital validates that the issuer URL belongs to a recognized identity provider domain. If your organization uses a custom or vanity domain for your IdP (for example, a company-branded Okta URL like https://login.yourcompany.io/ instead of https://yourcompany.okta.com/), you may see an “Untrusted origin” error. Contact Cloud Capital support to have your domain added to the allowlist.
The SSO settings page displays Cloud Capital’s Redirect URI (https://app.cloudcapital.co/api/v1/auth/sso/callback). Make sure this value is added as an allowed redirect/callback URI in your identity provider’s OIDC application settings.
3

Verify your domain

Add the DNS record displayed in the SSO settings to your domain’s DNS configuration. This verifies that you own the domain and allows Cloud Capital to associate SSO logins with your organization.
DNS propagation can take up to 48 hours, though it typically completes within a few minutes.
4

Choose an enforcement mode

Select how SSO is enforced for your organization:
  • Optional — members can sign in with SSO or with their existing email and password. Use this while rolling out SSO or if some users need non-SSO access.
  • Required — all members must sign in through SSO. Email and password login is disabled for your organization.
5

Save your configuration

Click Save to enable SSO. Members matching your verified domain will be able to sign in using your identity provider on their next login.

User provisioning

When a user signs in via SSO for the first time, Cloud Capital automatically creates an account for them using their identity provider profile. New SSO-provisioned users are granted member permissions by default. If a user requires admin access, an existing organization admin must update their role manually after their first sign-in. To do this, navigate to Organization Settings → Members, find the user, and update their role.
IdP-initiated logins are not currently supported. Users must initiate sign-in from the Cloud Capital login page.

Common identity providers

Most OIDC-compliant identity providers work with Cloud Capital SSO, including:
  • Google Workspace
  • Microsoft Entra ID (Azure AD)
  • Okta
  • Auth0
  • OneLogin
Refer to your identity provider’s documentation for instructions on creating an OIDC application and retrieving the issuer URL, client ID, and client secret.

Troubleshooting

IssueSolution
Domain verification pendingConfirm the DNS record matches the value shown in SSO settings. Allow time for DNS propagation.
Login fails after enabling SSOVerify the issuer URL, client ID, and client secret are correct. Check that https://app.cloudcapital.co/api/v1/auth/sso/callback is set as an allowed redirect URI in your identity provider.
Users not prompted for SSOEnsure enforcement is set to Required, or confirm the user’s email domain matches the verified domain.
”Untrusted origin” error on issuer URLYour IdP uses a custom or vanity domain that isn’t on Cloud Capital’s allowlist. Contact support to have it added.