InterMIND

SSO Setup

Connect Okta, Microsoft Entra ID, or Google Workspace so your team signs in through your identity provider.

SSO Setup

This guide is for the IT admin connecting a company identity provider (IdP) to InterMIND. After setup, members sign in from the regular login page: Sign in with SSO → work email → your IdP → back in InterMIND.

Available on: Business and Enterprise plans Configured by: team owner or admin Protocol: OpenID Connect (OIDC). SAML 2.0 sign-in is in development — SAML configuration is stored but cannot be used to sign in yet.

Prerequisites

  1. A verified domain — verify your email domain via DNS TXT record first (see Domain Management). SSO sign-in only accepts accounts whose email domain your team has verified; this is the tenant boundary.
  2. An IdP that supports OIDC with discovery — it must serve /.well-known/openid-configuration under the Issuer URL. Okta, Microsoft Entra ID, and Google all do.

What to register in your IdP

Create an OIDC Web Application in your IdP with:

SettingValue
Redirect URI (callback)https://intermind.com/api/auth/sso/callback — also shown in the SSO card after you select OIDC
Grant typeAuthorization Code (PKCE S256 is used automatically)
Scopesopenid email profile

The ID token your IdP issues must include the user's email, and the email's domain must be one of your verified domains — otherwise sign-in is refused.

Then fill in the SSO card on the Integrations page:

FieldWhat to paste
Display NameAny label your members will recognize
Issuer URLYour IdP's issuer — the URL that serves /.well-known/openid-configuration
Authorization URLThe authorization_endpoint from that discovery document
Client ID / Client SecretFrom the app you registered

The client secret is encrypted at rest and never returned to the browser after saving.

Okta

  1. Admin console → Applications → Create App Integration → sign-in method OIDC, application type Web Application
  2. Sign-in redirect URI: https://intermind.com/api/auth/sso/callback
  3. Assign the users or groups who should have access
  4. Copy the Client ID and Client Secret
  5. In InterMIND: Issuer URL = your Okta org URL (e.g. https://acme.okta.com, or your authorization server's issuer such as https://acme.okta.com/oauth2/default if you use one); Authorization URL = the authorization_endpoint from <issuer>/.well-known/openid-configuration

Microsoft Entra ID (Azure AD)

  1. Entra admin center → App registrations → New registration
  2. Platform Web, redirect URI https://intermind.com/api/auth/sso/callback
  3. Certificates & secrets → New client secret — copy the secret Value immediately
  4. Client ID = the Application (client) ID on the Overview page
  5. Make sure the ID token carries the user's email: Token configuration → Add optional claim → ID → email
  6. In InterMIND: Issuer URL = https://login.microsoftonline.com/<tenant-id>/v2.0; Authorization URL = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize

Google Workspace

No app registration needed. In the SSO card choose the Google Workspace provider type and save — members on your verified domains sign in with their Google account and join your team automatically. (Google can also be connected as a generic OIDC provider with issuer https://accounts.google.com if you prefer explicit client credentials.)

Test the connection

  1. Open the login page in a private/incognito window
  2. Click Sign in with SSO and enter a work email on your verified domain
  3. You are redirected to your IdP; after authenticating, you land back in InterMIND signed in
  4. The sign-in is recorded in the team audit log (exportable from the Users page) as auth.login with method sso

Troubleshooting

SymptomCause
"SSO is not configured" after entering the emailNo enabled SSO config matches that email domain — check the domain is verified and the SSO card is saved
SSO login is not available: planThe team's plan no longer includes SSO
SSO login is not available: domain-not-verifiedThe domain is still pending DNS verification
SSO login is not available: config-incompleteClient ID or Client Secret missing — re-save the SSO card
SSO login is not available: type-unsupportedThe stored config is SAML — SAML sign-in is not available yet
SSO IdP discovery failedIssuer URL is wrong or doesn't serve /.well-known/openid-configuration
"login session expired, start again"More than 5 minutes passed between starting sign-in and the IdP callback
Sign-in refused after the IdP redirects backThe IdP returned an email outside your verified domains, or no email claim at all (Entra: add the optional email claim)

Security properties

For security questionnaires: the SSO flow is Authorization Code with PKCE (S256), state, and nonce; the ID token's signature is validated against the IdP's JWKS, along with issuer and audience; the IdP is authoritative only for domains verified via DNS — an assertion for any other email never produces a session; the OIDC client secret is encrypted at rest; every SSO sign-in lands in the team audit log. Plan, domain, and configuration gates are enforced server-side on both the sign-in start and the callback.

Integrations

Configure push notifications, calendar, directory sync, and SSO.

Billing & Plans

Overview of InterMIND subscription plans, pricing, and billing management.