Skip to main content
Version: 4.6.19

Single sign-on (SSO)

Gentrace supports single sign-on (SSO) via OpenID Connect (OIDC). We support any OIDC provider via a custom configuration, and test for Okta in particular.

Security notes

When SSO enabled is enabled, all new logins and new invites for users on matching domains will need to login via SSO.

This means that:

  • Existing sessions will not be required to re-login (for continuity). Existing users will be required to SSO the next time they need to login.
  • Users on non-matching domains will not be required to login via SSO and will still login via email
  • New users (and existing users who are not in the organization) on matching domains will be required to SSO when they accept an invite to the organization


Step 1: Connect Gentrace to your OIDC Provider

Navigate to security settings and press "Configure OIDC".

Configure the integration in your provider. You'll need to pass the Redirect URL from Gentrace to your SSO provider.

For example, here's how this looks in Okta:

Press Create: Create Okta application

Use OIDC (Web application): Configure Okta application

Configure the redirect URL: Set Okta redirect URL

Then, configure the integration in Gentrace. You'll need to pass the OIDC Issuer, Client ID, and Client Secret to Gentrace.

In Okta, the issuer is the domain and protocol (eg https://<my-domain> Here's how to get the Client ID and Client Secret: Okta client ID / secret location

And here's how that all looks in Gentrace. Gentrace OIDC configuration

Press "Continue" to test the configuration and continue to the next step if successful.

Step 2: Claim and verify your domain

In order to use Gentrace SSO, you need to claim an email domain and verify your ownership of it.

Press "Claim domain" and then enter your domain (eg and press "claim."

Then, press "verify." You'll see instructions on how to verify your domain. You'll need to add a TXT record to your DNS provider.

Gentrace domain verification

Please get in touch at [email protected] if you are having trouble verifying your domain.

Press "Verify Domain" to test the DNS record and continue to the next step if successful.

Please note that it may take 24 hours or more for DNS changes to propagate depending on your DNS settings.

Step 3: Enable SSO

You can now enable SSO by pressing the "Enable" button.

Gentrace enable SSO

All users authenticating to your organization with an email address on the claimed domain will be required to login via SSO.


If you'd like to add multiple organizations to your OIDC provider, please reach out to [email protected].