Skip to content
Bifrost Docs
Docs
Configure SSO

Configure SSO

Set up single sign-on with Microsoft, Google, or OIDC

Configure single sign-on (SSO) to allow users to log in with their existing identity provider.

Overview

Section titled “Overview”

SSO is configured in Settings > SSO within the Bifrost UI. All configuration is stored in the database - no environment variables required.

Settings SSO Landing

Supported providers:

  • Microsoft Entra ID - Azure Active Directory
  • Google Workspace - Google accounts
  • Generic OIDC - Any OpenID Connect provider

Microsoft Entra ID

Section titled “Microsoft Entra ID”

  1. Create App Registration in Azure

    Go to Entra ID > App registrations > + New registration:

    • Name: Bifrost SSO
    • Supported account types: Choose based on your needs:
      • Single tenant - Only your organization
      • Multitenant - Any Azure AD directory
    • Redirect URI: Web platform, https://your-domain.com/auth/callback/microsoft

  2. Configure Authentication

    In your app registration, go to Authentication:

    • Ensure redirect URI is correct
    • Enable ID tokens under Implicit grant

  3. Add Client Secret

    Go to Certificates & secrets > + New client secret:

    • Set description and expiration
    • Copy the secret value immediately (it won’t be shown again)

  4. Note Required Values

    From the Overview page, copy:

    • Application (client) ID
    • Directory (tenant) ID

  5. Configure in Bifrost

    Go to Settings > SSO and add Microsoft:

    • Client ID: Application (client) ID from Azure
    • Client Secret: The secret value you created
    • Tenant ID: One of:
      • Your specific tenant ID (single tenant only)
      • organizations (any work/school account)
      • common (work/school + personal Microsoft accounts)

    Microsoft Entra ID configuration card

Required Permissions

Section titled “Required Permissions”

Microsoft SSO requests these scopes automatically:

  • openid - Required for OIDC
  • profile - User’s display name
  • email - User’s email address
  • User.Read - Basic user profile from Graph API

No admin consent is required for these scopes.

Google

Section titled “Google”

  1. Create OAuth Client in Google Cloud

    Go to Google Cloud Console > APIs & Services > Credentials:

    • Click + Create Credentials > OAuth client ID
    • Application type: Web application
    • Name: Bifrost SSO
    • Authorized redirect URIs: https://your-domain.com/auth/callback/google

  2. Configure OAuth Consent Screen

    If prompted, set up the OAuth consent screen:

    • User type: Internal (Google Workspace only) or External
    • App name, support email, developer contact
    • Scopes: Add email, profile, openid

  3. Copy Credentials

    After creating the client, copy:

    • Client ID
    • Client Secret

  4. Configure in Bifrost

    Go to Settings > SSO and add Google:

    • Client ID: From Google Cloud Console
    • Client Secret: From Google Cloud Console

    Add Google SSO Dialog

Generic OIDC

Section titled “Generic OIDC”

Use any OpenID Connect-compliant identity provider (Okta, Auth0, Keycloak, etc.).

  1. Create Application in Your IdP

    Register a new OIDC/OAuth application:

    • Application type: Web application
    • Redirect URI: https://your-domain.com/auth/callback/oidc
    • Grant type: Authorization Code

  2. Get Discovery URL

    Find your IdP’s OIDC discovery endpoint. Common formats:

    • Okta: https://your-org.okta.com/.well-known/openid-configuration
    • Auth0: https://your-tenant.auth0.com/.well-known/openid-configuration
    • Keycloak: https://keycloak.example.com/realms/your-realm/.well-known/openid-configuration

  3. Configure in Bifrost

    Go to Settings > SSO and add OIDC:

    • Discovery URL: Your IdP’s .well-known/openid-configuration URL
    • Client ID: From your IdP
    • Client Secret: From your IdP
    • Display Name (optional): Custom text for the login button (e.g., “Sign in with Okta”)

    Add OIDC SSO Dialog

Multiple Providers

Section titled “Multiple Providers”

You can enable multiple SSO providers simultaneously. Once all three are configured, the SSO settings page shows their status, and the login page surfaces a button per provider.

SSO Configured State

Login Page with SSO Buttons

Troubleshooting

Section titled “Troubleshooting”

Redirect URI Mismatch

Section titled “Redirect URI Mismatch”

Error: “redirect_uri_mismatch” or “invalid redirect”

The callback URL in Bifrost must exactly match what’s registered in your IdP:

  • Check for trailing slashes
  • Verify protocol (https vs http)
  • Confirm the domain is correct

User Not Authorized

Section titled “User Not Authorized”

For Google with Internal consent screen or Microsoft with single tenant:

  • Ensure the user’s email domain matches your organization
  • Check that the user exists in the directory

Token Validation Failed

Section titled “Token Validation Failed”

For OIDC providers:

  • Verify the discovery URL is accessible
  • Check that client ID and secret are correct
  • Ensure the IdP’s certificates are valid

Security Notes

Section titled “Security Notes”
  • All client secrets are encrypted at rest
  • Tokens are validated server-side before creating sessions
  • SSO sessions follow the same expiration as regular sessions
Built & designed by shadcn. Ported to Astro Starlight by Adrián UB. The source code is available on GitHub.
Home

About

What is Bifrost? Why Open Source? Versions & Compatibility License (AGPL)

Getting Started

Installation Guide For Non-Developers Build Your First Workflow Create Dynamic Forms Integrations

Core Concepts

Platform Overview Workflows Workflow Registration Forms Apps Tables Knowledge Agents Chat Integrations Events MCP Permissions Scopes

How-To Guides

Reference

Troubleshooting

OAuth Workflow Engine Forms