Skip to main content

Set up Single Sign-On (SSO)

Updated on 08.07.2026

With Single Sign-On, your staff sign in with their existing company account — no extra password. MyIdeas supports Microsoft Entra ID, Google Workspace, Okta, JumpCloud, cidaas and Keycloak via the open OpenID Connect standard.

Your redirect URL (redirect URI)

You must register this address at your identity provider as an allowed redirect URL. Replace „yourcity“ with your actual subdomain:

Redirect URIhttps://deinestadt.my-ideas.de/api/auth/sso/callback

If you use a custom domain, use https://your-domain.com/api/auth/sso/callback instead.

Register an app at your identity provider

At your provider (e.g. Microsoft Entra ID, Google Cloud Console or Okta), create a new OAuth/OIDC application, enter the redirect URI above and note the client ID and client secret.

Add the provider in MyIdeas

In your instance, open Moderation → SSO, select your provider and enter the client ID and client secret. Depending on the provider, an additional value is required:

ProviderAdditional value
Microsoft Entra IDVerzeichnis-/Tenant-ID (optional, sonst „common“)
Google Workspace
OktaIssuer-URL (z. B. https://firma.okta.com)
JumpCloudOrg-ID
cidaasBasis-URL (z. B. https://firma.cidaas.de)
KeycloakBasis-URL + Realm

Optional: restrict to email domains

If you want to allow SSO only for certain email domains, enter them comma-separated in the „Allowed domains“ field. Leaving it empty means all domains are allowed.

Allowed domainsstadt-xyz.de, verwaltung.de

Enable, test and sign in

Enable the provider and save. On the sign-in page, a „Sign in with …“ button now appears in addition to the SMS login. On the first login, the user account is created or linked automatically based on the email address.

FAQ & troubleshooting

Error „redirect_uri mismatch“

The redirect URL registered at the provider doesn't exactly match your address. It must end exactly with …/api/auth/sso/callback, including https:// and without a trailing slash.

Message „Your email domain is not allowed“

The email domain of the signing-in account isn't in the list of allowed domains. Add the domain under Moderation → SSO or leave the field empty.

I don't see any SSO settings

The SSO area is available in the Organisation plan. Check your plan under Moderation → Plan or contact us for an upgrade.

Try it free

Starter free forever

Get started