Skip to main content

SSO/IDP Configuration

Connect Microsoft Entra, Google Workspace, or any OpenID Connect provider so technicians can sign in to Level with existing credentials.

Introduction

Configure single sign-on so your team can sign in to Level using their existing identity provider (IdP) instead of a separate Level password. Level offers two preconfigured IdPs (Microsoft Entra and Google Workspace) plus a generic OpenID Connect (OIDC) option that works with any other IdP that speaks the protocol: Okta, Auth0, JumpCloud, OneLogin, Ping Identity, Keycloak, and others.

ℹ️ NOTE: "IdP" (identity provider) is the system that authenticates your users. "OIDC" (OpenID Connect) is the protocol Level uses to talk to it. Microsoft Entra and Google Workspace are both IdPs that speak OIDC under the hood; Level preconfigures them so the setup is one-click. The third row, labeled OIDC, is the generic protocol option for any other IdP that supports OpenID Connect.

This article walks through setup per provider, how to switch users to SSO once a provider is connected, and how to edit or disconnect a provider.

How SSO Works in Level

Level treats each provider as an organization-wide integration. Connecting a provider doesn't change anyone's authentication automatically. Admins move individual technicians to SSO from Workspace → Team, and any user who hasn't been switched continues to sign in with email and password.

ℹ️ NOTE: Only one SSO provider can be configured at a time. To switch from one provider to another (for example, Entra to OIDC), disconnect the current provider first, then connect the new one. Disconnect immediately reverts every SSO user to email/password auth, so plan password resets for affected users before you swap.

SSO Configuration

A technician's SSO identity is matched on email address. The email on their Level account must match the email returned by the identity provider. The match is case-insensitive, so [email protected] and [email protected] resolve the same user. The local part (before the @) does have to be otherwise identical.

💡 TIP: Keep at least one admin account on email and password authentication. If your identity provider goes down, SSO users can't sign in. A local admin account gives you a break-glass path back in without depending on the provider.

Connecting Microsoft Entra

Microsoft Entra (formerly Azure AD) uses a one-click OAuth flow. You don't need to manually register an application in Entra. Level's app handles registration and authorization on Microsoft's side.

  1. Navigate to Settings → Organization.

  2. Scroll to the Single sign-on section.

  3. Click Connect next to Microsoft Entra.

  4. You'll be redirected to Microsoft to sign in with an Entra admin account and grant consent for Level to read user profile and email data.

  5. After consent, Microsoft redirects you back to Level. The Microsoft Entra row now shows a Connected badge along with your Tenant ID.

⚠️ WARNING: The Microsoft account you authorize with must have permission to grant tenant-wide consent for the Level application. If you connect with a non-admin account, the consent screen will fail and the integration won't complete.

Connecting Google Workspace

Google Workspace uses the same one-click pattern as Microsoft Entra. Level handles the application registration on Google's side.

  1. Navigate to Settings → Organization.

  2. Scroll to the Single sign-on section.

  3. Click Connect next to Google Workspace.

  4. Sign in to Google with a Workspace super admin account and grant consent for Level to read profile and email data.

  5. Google redirects you back to Level. The Google Workspace row now shows a Connected badge.

ℹ️ NOTE: Google Workspace SSO works for any user in your Workspace domain. Level matches identities by email, so the email on each technician's Level account must match their Workspace email exactly.

Connecting a Custom OIDC Provider

Use the OIDC option for any IdP that speaks OpenID Connect: Okta, Auth0, JumpCloud, OneLogin, Ping Identity, Keycloak, AWS Cognito, and others. This is a manual setup because Level can't pre-register an application across every IdP.

The flow has two parts: create an application in your IdP, then enter its credentials into Level.

Step 1: Create an application in your identity provider

In your provider's admin console, create a new OpenID Connect application. Level uses the implicit flow with an id_token response type, which means the application has to be configured as a browser-side app, not a server-side web app.

Use these settings:

  • Application type: Single Page Application (SPA), sometimes labeled "Browser-based app"

  • Grant type / response type: Implicit Flow with id_token (Auth0 calls this "Implicit Grant"; Okta calls it "Implicit (Hybrid)"; some newer admin UIs split it as "Allow Implicit Hybrid")

  • Sign-in redirect URI: the callback URL Level provides in the OIDC config dialog (exact match, including protocol and path)

  • Token signing algorithm: RS256 (the default on almost every IdP)

  • Scopes: openid and email available to the application

⚠️ WARNING: Many IdPs disable implicit flow by default because the OAuth community classifies it as legacy. You may need to explicitly enable it in your application settings. In Auth0, find this under Advanced Settings → Grant Types. In Okta, tick the Implicit (Hybrid) grant type checkbox on the application. If implicit flow isn't enabled on the IdP side, Level's sign-in redirect will silently fail or return a generic error.

Save the application and copy the resulting Client ID and Issuer URL (sometimes called the "OIDC discovery URL" or "domain"). Level uses the implicit flow, so there's no client secret to copy. You'll paste the Client ID and Issuer URL into Level next.

ℹ️ NOTE: Each provider names the issuer URL slightly differently. In Auth0 it's your tenant domain (e.g., https://your-tenant.us.auth0.com); Auth0 may emit the issuer with a trailing slash, which Level handles automatically. In Okta, the issuer depends on tenant type: prod tenants use https://<your-org>.okta.com, and developer accounts use https://dev-<id>.okta.com. In JumpCloud, the issuer appears on the SSO application detail page.

OIDC Callback

Step 2: Configure OIDC in Level

💡 TIP: If you're not sure what the issuer URL should be, check your provider's OIDC discovery document. It's usually served at https://<your-domain>/.well-known/openid-configuration. The issuer field in that document is what Level expects in the Issuer URL field.

  1. Navigate to Settings → Organization.

  2. Scroll to the Single sign-on section.

  3. Click Connect next to OIDC.

  4. In the OIDC configuration dialog, enter:

  5. Click Save to validate the configuration. Level runs OIDC discovery against the issuer URL to confirm the connection works.

  6. Once validated, the OIDC row shows a Connected badge and displays the issuer URL beneath the OIDC label.

Provider-specific tips

The OIDC integration works with any standards-compliant provider that supports implicit flow. Here's how the common field names map:

  • Okta: Application type "Single-Page App." Grant type "Implicit (Hybrid)" with id_token response type. Issuer URL is https://<your-org>.okta.com for prod tenants, or https://dev-<id>.okta.com for free developer accounts.

  • Auth0: Application type "Single Page Application." Under Advanced Settings → Grant Types, enable Implicit. Issuer URL is https://<your-tenant>.<region>.auth0.com. Add the Level callback URL to Allowed Callback URLs. Auth0 may emit the issuer with a trailing slash; Level handles either form.

  • JumpCloud: Create an OIDC SSO application configured for implicit flow. Issuer URL appears on the SSO app detail page after creation.

  • Keycloak: Create a client with access type "public" (not confidential, since implicit flow doesn't use a client secret). Enable Implicit Flow Enabled under the client's settings. Issuer URL is https://<keycloak-host>/realms/<realm>.

ℹ️ NOTE: Level supports one custom OIDC connection at a time. If you need to switch from one OIDC IdP to another (for example, Auth0 to Okta), disconnect first, then reconnect with the new issuer URL and credentials.

Switching Users to SSO

⚠️ WARNING: Switching a user to SSO clears their existing Level password. If you later switch them back to email and password authentication, they'll need to reset their password before they can sign in.

Connecting a provider doesn't move anyone to SSO automatically. To switch a technician:

  1. Go to Workspace → Team.

  2. Find the technician's row and open the three-dot menu.

  3. Select Switch to SSO.

The switch is immediate. The technician's Auth column updates to show their new authentication method, and on their next sign-in they're redirected to the connected SSO provider instead of seeing the Level password prompt.

ℹ️ NOTE: Existing 2FA settings on a Level account are bypassed once the user is on SSO. The identity provider handles authentication and any MFA enforcement from that point on.

For the full Workspace Team workflow, see Workspace Team.

Editing an OIDC Connection

OIDC is the only provider with editable settings. Entra and Google Workspace are managed entirely through OAuth consent, so there's nothing to edit on the Level side. If your OIDC issuer URL changes or you need to point Level at a different application:

  1. Navigate to Settings → Organization.

  2. In the Single sign-on section, click Edit on the OIDC row.

  3. Update the Issuer URL or Client ID.

  4. Click Save. Level revalidates OIDC discovery against the new values.

⚠️ WARNING: Saving invalid values breaks SSO for everyone on this provider until you correct them. Test sign-in from an incognito window before relying on a new configuration.

Disconnecting a Provider

Disconnecting removes the provider integration and prevents any user assigned to it from signing in via SSO.

  1. Navigate to Settings → Organization.

  2. In the Single sign-on section, click Disconnect on the provider row.

  3. Confirm the action.

⚠️ WARNING: Disconnecting a provider immediately flips every SSO user back to email and password authentication and clears their SSO link. Since switching to SSO clears the user's Level password, those users won't be able to sign in until they reset it (via the forgot-password flow or an admin-sent invite). Plan recovery before you disconnect.

FAQ

  • Can I require all technicians to use SSO? Not with a single toggle. After connecting a provider, switch users to SSO individually from Workspace → Team. There's no "force SSO for everyone" option yet.

  • Can I connect more than one SSO provider at once? No. Only one provider can be configured at a time. To switch providers (for example, from Microsoft Entra to OIDC), disconnect the current one first, then connect the new one. Disconnect flips all current SSO users back to email/password auth, so plan password resets for affected users before you swap.

  • What happens to a technician's 2FA setting when I switch them to SSO? Their Level-side 2FA is bypassed on SSO sign-in. From that point on, MFA is enforced by the identity provider (or not, if the provider doesn't enforce it).

  • What happens to a user's Level password when I switch them to SSO? It gets cleared. If you later switch the user back to email-based authentication, they'll need a password reset before they can sign in. There's no way to restore the previous password.

  • My provider isn't listed. Can I still use SSO? If it supports OpenID Connect with implicit flow, yes. Use the OIDC option with your provider's issuer URL and client ID. SAML-only providers aren't currently supported.

  • I configured OIDC and the redirect happens, but sign-in silently fails or shows a generic error. What's wrong? Almost always means your IdP application is configured as a Web Application (Authorization Code flow) instead of a Single Page Application (Implicit flow). Level uses the implicit flow with an id_token response type. Reconfigure the IdP application as an SPA with implicit flow enabled, save, and try signing in again.

  • I'm getting "invalid issuer" or "OIDC discovery failed" when saving the OIDC config. What's wrong? The issuer URL must match the OIDC issuer exactly as it appears in the discovery document (the issuer field in /.well-known/openid-configuration). Common mistakes: http instead of https, missing realm path on Keycloak, or pasting the discovery URL (.../.well-known/openid-configuration) instead of the issuer URL.

  • Who can set up or disconnect SSO? Only technicians with the Administrator role can configure SSO providers. Other roles see the Single sign-on section but can't connect, edit, or disconnect.

  • Does Level auto-create users when they first sign in via SSO? No. Just-in-time (JIT) provisioning isn't supported, so each technician must exist in Workspace → Team first. You can mark them as SSO at invite time, or invite them as email/password and switch them later.

Related Articles
Organization Settings
Did this answer your question?