Overview

Configure single sign-on

Understand the tenant-scoped SSO workflow for Microsoft Entra ID, Google Workspace, OIDC, and SAML.

Identity administrators8 min readUpdated July 17, 2026

How tenant SSO works

Each connection belongs to one tenant. The identity provider proves who the person is; tenant roles and school assignments decide what that person can access. DMTG Tech employee access uses a separate, audited support path and does not weaken tenant enforcement.

Safe setup sequence

  1. Open Single sign-on and choose the provider type.
  2. Copy the redirect URI or SAML values shown by the portal into the identity provider exactly.
  3. Enter the provider identifiers, metadata, secret, and allowed organization domains.
  4. Choose just-in-time provisioning and a conservative default role if appropriate.
  5. Save the connection as a draft, then test it with a non-emergency administrator account.
  6. Activate the connection only after issuer, signatures, claims, domains, and role behavior have passed testing.
  7. Require SSO only after at least two administrators have successfully signed in.

Provider-specific guides

  • Microsoft Entra ID uses the tenant ID, application client ID, exact redirect URI, and OIDC discovery metadata.
  • Google Workspace uses an OAuth client and validates the signed hosted-domain claim for allowed Workspace domains.
  • Generic SAML uses the IdP entity ID, SSO endpoint, signing certificate, and exact service-provider values displayed in the portal.