Convoship Docs

Product documentation

Single sign-on (SSO)

Let your team sign in with your company identity provider — OIDC or SAML, with optional SCIM directory sync.

Single sign-on lets your team sign in to Convoship with your company identity provider (Okta, Microsoft Entra ID, Google Workspace, and other OIDC or SAML providers) instead of a separate Convoship password. Configure it under Workspace → Single sign-on.

Only workspace owners and admins can manage SSO. Once it is enabled, end users do not need to do anything — they simply sign in through your identity provider.

What you get

  • OpenID Connect (OIDC) or SAML 2.0 connections.
  • Domain-based routing — people using your company email domain are sent to your provider automatically.
  • Optional enforced SSO — require everyone on your domain to sign in through your provider.
  • Optional SCIM directory sync — provision and deactivate members automatically from your identity provider.

Set up a connection

  1. Open Workspace → Single sign-on and choose New connection.
  2. Choose your protocol: OpenID Connect (OIDC) or SAML 2.0.
  3. OIDC: enter the issuer URL, client ID, and client secret from an application you create in your identity provider. SAML: Convoship shows the SP entity ID, ACS URL, and SP metadata URL — register those in your provider, then paste back its sign-on URL and signing certificate.
  4. Add the email domain or domains your team uses (for example, yourcompany.com).
  5. Choose the default role new members receive on first sign-in, then save and toggle Enable.

For SAML, copy the SP entity ID, ACS URL, and SP metadata URL shown on the connection into your identity provider — they tell your provider where to send users back after they authenticate.

Domain routing & enforcement

When a connection is enabled for your domain, anyone entering a work email at that domain sees a Sign in with SSO option and is routed to your provider. New users are created automatically on first sign-in with the default role you chose.

Turn on Enforce SSO to require single sign-on for your domain. Members on that domain can no longer sign in with a Convoship password, so access is fully centralized in your identity provider.

Directory sync (SCIM)

Enable SCIM so your identity provider can create, update, and deactivate Convoship members automatically as your directory changes. Convoship provides a SCIM base URL and a bearer token to paste into your provider's provisioning settings.

The SCIM token is shown only once when generated. Copy it into your identity provider right away, and regenerate it if it is ever exposed.

What your team sees

On the sign-in page, members enter their work email and continue with SSO. If their domain is connected they are sent to your identity provider and returned signed in; if not, they sign in with their password as usual. Email vouched for by your provider is treated as verified, so SSO members skip email verification.