Skip to main content

Single Sign-On (SSO)

Seal supports enterprise SSO, integrating with your existing identity provider for centralised authentication.

Supported Identity Providers

ProviderProtocolStatus
Microsoft Azure AD (Entra ID)OAuth 2.0 / OpenID ConnectAvailable
OktaSAML / OIDCAvailable on request
Google WorkspaceOIDCAvailable on request
Custom SAML/OIDCSAML 2.0 / OIDCAvailable on request
For other identity providers, contact [email protected].

How SSO Works

SSO Authentication Flow Diagram

Domain-Based Routing

SSO is configured per organisation with specific email domains. Users with SSO-enabled domains are automatically redirected to the identity provider — password login is disabled for these domains.

Configuration Options

OptionDescriptionExample
Identity ProviderSSO providerMicrosoft Azure AD
Email DomainsDomains requiring SSOacme.com, acme.co.uk
Tenant IDOrganisation’s Azure AD tenant (optional)xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Multiple domains can be configured per organisation — useful for subsidiaries, regional variations, or acquisitions. All domains route to the same IdP.

Security

FeatureDetails
Enforced SSOPassword login disabled for SSO domains
No password storageSeal never receives or stores SSO user passwords
MFA inheritanceUsers inherit MFA requirements from IdP
Session timeoutConfigurable per org (7-day default, 15-min for 21 CFR Part 11)

Setup

To enable SSO, provide:
  1. Email domains for SSO enforcement
  2. Azure AD Tenant ID
  3. Technical contact
Seal will configure the integration and provide redirect URIs for your Azure AD app registration.
Contact [email protected] to begin SSO setup.

User Provisioning

MethodDescription
Just-in-Time (JIT)Users auto-created on first SSO login
ManualAdmins pre-create accounts
SCIMAutomated provisioning/deprovisioning from IdP (enterprise)
SCIM enables automated user lifecycle management — users are created when they join and removed when they leave, with role synchronisation from your IdP.

FAQ

Can users still use password login after SSO is enabled? No. SSO domains enforce IdP authentication only. What if our IdP is unavailable? Users cannot authenticate until IdP service is restored. Can we mix SSO and password users? Yes. SSO is per-domain — other domains can use password login. Does SSO work with MFA? Yes. MFA is enforced at your IdP level. Can we use our own Azure AD tenant? Yes. Provide your tenant ID, or use Seal’s default tenant.