Single Sign-On (SSO)

PilotBPM supports OpenID Connect (OIDC) single sign-on with any standards-compliant identity provider — Microsoft Entra ID, Okta, Google Workspace, Auth0, and others.

How it works

• SSO is provisioned per workspace by the PilotBPM team: your IdP's issuer/metadata URL, client ID, client secret (encrypted), and the email domain used to route logins.
• On the sign-in page, choosing Sign in with SSO and entering a work email routes the user to their company's IdP.
• After the provider authenticates them, PilotBPM validates the identity token, then signs them in. New people are provisioned just-in-time — an account and workspace membership are created on first login, so you don't have to pre-create users.

Setting it up

Contact your PilotBPM account manager with your IdP details (or have them ready in Platform → tenant → Identity provider). Register PilotBPM's callback URL (/api/auth/oidc/<provider>/callback) as a redirect URI in your IdP.

SAML is on the roadmap; OIDC is fully supported today.