SigNoz supports single sign-on (SSO), allowing users to authenticate through an external identity provider (IdP) instead of maintaining SigNoz-specific passwords.
What’s supported
- SAML 2.0: Available on
SigNoz CloudandEnterprise Self-Hosted - OIDC: Available on
SigNoz CloudandEnterprise Self-Hosted - Google Workspace (OAuth2): Available on
Community Edition,SigNoz CloudandEnterprise Self-Hosted
How SSO works in SigNoz
At a high level, you connect your organization’s email domain to an IdP, and SigNoz defers authentication to that IdP.
- Authenticated Domain: You register a domain like
example.comunderSettings → Organization Settings → Authenticated Domains. - Choose Method: For that domain, select SAML, OIDC, or Google (for Workspace) and provide the IdP details.
- Just‑in‑Time access: Users with emails on that domain can sign in via your IdP without a prior invite.
- Attribute/Claim Mapping: Map IdP attributes (SAML) or token claims (OIDC/Google) to SigNoz user fields like email, display name, groups, and role.
- Role Mapping: Automatically assign SigNoz roles (VIEWER, EDITOR, ADMIN) based on IdP group memberships or a direct role attribute — no manual role assignment needed.
Setup at a glance
- Go to
Settings → Organization Settings → Authenticated Domains - Add your organization’s email domain (e.g.,
example.com) - Click Configure SSO and choose a method
- Save and test from an incognito window
- Optionally toggle Enforce SSO for that domain
- If you encounter any issues, you can temporarily use password authentication by appending
?password=Yto the login URL, e.g.<your-instance-url>/login?password=Y.
IdP‑Initiated SSO setup
If your provider supports IdP-initiated logins, you will see an option to set the Relay State URL in the IdP's configuration UI.
- Copy the
IdP Initiated SSO URLfrom theAuthenticated Domainssection and set this as theRelay State URLin your IdP
Next steps
Looking for step-by-step setup? See the user guides below: