Skip to main content
Single sign-on (SSO) lets your team authenticate to Knoq through your existing identity provider instead of managing separate credentials. When SSO is enabled, members sign in through the provider you configure — and when SSO is enforced, it becomes the only permitted sign-in method for your organization. Knoq supports Google SSO on the Team plan and enterprise SAML/OIDC on the Business plan.

SSO options by tier

The SSO features available to your organization depend on your plan.
FeatureFreeSoloTeamBusiness
Google SSO
Enterprise SAML / OIDC
SCIM provisioning
Enforce SSO
To access SSO settings, go to Admin in the sidebar and select SSO. The page shows your current provider configuration, enforcement status, and setup options available on your plan.

Set up Google SSO

Google SSO allows members to sign in to Knoq with their Google Workspace accounts. No credentials to exchange with Google are required — Knoq handles the OAuth flow for you.
1

Open the SSO settings page

In the sidebar, click Admin, then select SSO.
2

Enable Google SSO

Under the Google section, click Enable Google SSO. Knoq activates Google as your SSO provider immediately.
3

Communicate the change to your team

Let your members know they can now sign in with their Google accounts. Existing sessions remain active — members will use Google SSO on their next sign-in.
Once Google SSO is active, the sign-in page will show a Continue with Google option alongside the standard sign-in flow, unless you also enforce SSO (see below).

Set up enterprise SSO (Business)

Enterprise SSO connects Knoq to any SAML 2.0 or OIDC-compatible identity provider, including Okta, Microsoft Entra ID (Azure AD), OneLogin, and others. This option is available exclusively on the Business plan.
1

Open the SSO settings page

In the sidebar, click Admin, then select SSO.
2

Select SAML or OIDC

Under the Enterprise SSO section, choose your protocol — SAML or OIDC — based on what your identity provider supports.
3

Enter your identity provider details

For SAML, provide your IdP’s metadata URL or, if your IdP does not publish a metadata endpoint, enter the Entity ID and SSO URL manually.For OIDC, provide your IdP’s issuer URL, client ID, and client secret.
4

Register the Knoq redirect URI in your IdP

Knoq displays a redirect URI on the SSO settings page. Copy this URI and add it to your identity provider’s list of allowed redirect / callback URLs. The exact location varies by IdP:
  • Okta: Applications > your app > Sign On > Redirect URIs
  • Entra ID: App registrations > your app > Authentication > Redirect URIs
  • OneLogin: Applications > your app > Configuration > Redirect URI
5

Save and test

Click Save configuration. Knoq validates the connection by performing a test exchange. If validation succeeds, enterprise SSO is active for your organization.

Enforce SSO

Enforcing SSO means every member of your organization must authenticate through your configured SSO provider. Members who attempt to use a password or a different sign-in method will be redirected to your IdP.
1

Ensure SSO is configured and working

Before enforcing, confirm that your SSO provider is set up and that at least one admin can sign in successfully via SSO. You do not want to lock yourself out.
2

Toggle Enforce SSO

On the SSO settings page, enable the Enforce SSO toggle. Knoq applies the policy immediately.
3

Communicate with your team

Notify your members that SSO is now required. On their next sign-in, they will be directed through your identity provider.
Enforcing SSO affects all members immediately. Any member who has not yet signed in via SSO will be locked out on their next authentication attempt until they complete the SSO flow. Make sure your identity provider is correctly configured and that all members have accounts in your IdP before you flip this toggle.

SCIM provisioning

Business plan organizations can automate member provisioning and deprovisioning with SCIM. When SCIM is active, your identity provider can push user lifecycle events — new hires, role changes, and departures — directly to Knoq, without requiring manual invitations or removals. For full setup instructions and the SCIM API reference, see the SCIM overview.