How tenant SSO works
Each connection belongs to one tenant. The identity provider proves who the person is; tenant roles and school assignments decide what that person can access. DMTG Tech employee access uses a separate, audited support path and does not weaken tenant enforcement.
Safe setup sequence
- Open Single sign-on and choose the provider type.
- Copy the redirect URI or SAML values shown by the portal into the identity provider exactly.
- Enter the provider identifiers, metadata, secret, and allowed organization domains.
- Choose just-in-time provisioning and a conservative default role if appropriate.
- Save the connection as a draft, then test it with a non-emergency administrator account.
- Activate the connection only after issuer, signatures, claims, domains, and role behavior have passed testing.
- Require SSO only after at least two administrators have successfully signed in.
Provider-specific guides
- Microsoft Entra ID uses the tenant ID, application client ID, exact redirect URI, and OIDC discovery metadata.
- Google Workspace uses an OAuth client and validates the signed hosted-domain claim for allowed Workspace domains.
- Generic SAML uses the IdP entity ID, SSO endpoint, signing certificate, and exact service-provider values displayed in the portal.