Set up Single Sign-On (SSO)
Updated on 08.07.2026
With Single Sign-On, your staff sign in with their existing company account — no extra password. MyIdeas supports Microsoft Entra ID, Google Workspace, Okta, JumpCloud, cidaas and Keycloak via the open OpenID Connect standard.
Your redirect URL (redirect URI)
You must register this address at your identity provider as an allowed redirect URL. Replace „yourcity“ with your actual subdomain:
https://deinestadt.my-ideas.de/api/auth/sso/callbackIf you use a custom domain, use https://your-domain.com/api/auth/sso/callback instead.
Register an app at your identity provider
At your provider (e.g. Microsoft Entra ID, Google Cloud Console or Okta), create a new OAuth/OIDC application, enter the redirect URI above and note the client ID and client secret.
Add the provider in MyIdeas
In your instance, open Moderation → SSO, select your provider and enter the client ID and client secret. Depending on the provider, an additional value is required:
| Provider | Additional value |
|---|---|
| Microsoft Entra ID | Verzeichnis-/Tenant-ID (optional, sonst „common“) |
| Google Workspace | — |
| Okta | Issuer-URL (z. B. https://firma.okta.com) |
| JumpCloud | Org-ID |
| cidaas | Basis-URL (z. B. https://firma.cidaas.de) |
| Keycloak | Basis-URL + Realm |
Optional: restrict to email domains
If you want to allow SSO only for certain email domains, enter them comma-separated in the „Allowed domains“ field. Leaving it empty means all domains are allowed.
stadt-xyz.de, verwaltung.deEnable, test and sign in
Enable the provider and save. On the sign-in page, a „Sign in with …“ button now appears in addition to the SMS login. On the first login, the user account is created or linked automatically based on the email address.
Sign in
FAQ & troubleshooting
Error „redirect_uri mismatch“
The redirect URL registered at the provider doesn't exactly match your address. It must end exactly with …/api/auth/sso/callback, including https:// and without a trailing slash.
Message „Your email domain is not allowed“
The email domain of the signing-in account isn't in the list of allowed domains. Add the domain under Moderation → SSO or leave the field empty.
I don't see any SSO settings
The SSO area is available in the Organisation plan. Check your plan under Moderation → Plan or contact us for an upgrade.