Buttons supports Single Sign-On (SSO), allowing organizations to authenticate users through their existing identity provider. Users are automatically provisioned on first login, no manual account creation required. SSO can coexist with local authentication, or be set as the default login method. Connections can be enabled and disabled individually, and multiple providers can be active at the same time.
Supported Providers
| Provider | Protocol | User Provisioning | Group/Role Mapping |
|---|---|---|---|
| OIDC (OAuth 2.0) | Automatic (JIT) | Planned | |
| Microsoft Entra ID | OIDC (OAuth 2.0) | Automatic (JIT) | Planned |
| LDAP / Active Directory | LDAP Bind | Automatic (JIT) | Planned |
| Okta | OIDC (OAuth 2.0) | Automatic (JIT) | Planned |
| GitHub | OAuth 2.0 | Automatic (JIT) | Planned |
Feature Overview
| Feature | Status |
|---|---|
| Just-in-time user provisioning | Supported |
| Multiple simultaneous connections | Supported |
| Domain-restricted SSO | Supported |
| SSO as default login method | Supported |
| Local + SSO coexistence | Supported |
| Per-connection enable/disable | Supported |
| Role mapping from SSO groups | Planned |
| SCIM provisioning | Not supported. Can be evaluated based on demand. |
Role & Group Mapping
Automatic mapping from SSO groups to Buttons roles is not yet supported. An administrator can assign roles to SSO users after their first login. Since users are auto-provisioned, this only needs to happen once per user.
SSO Configuration
You will find the SSO configuration under Settings, on the starting page you can enable and disable SSO, Set the default login type, limit the allowed email domains and you can add SSO Providers.
Here we have chosen to add Google as a SSO provider. If you want to use multiple accounts from the same provider, make sure that you give them a propper display name so you can tell them apart.
You have to enter the OAuth Credentials and Client Secret from your Provider and also enter the Workspace domain the the OAuth belongs to
And if you have any additional scopes for the provider you can specify them as well.
The last thing you have to make sure of, is that your server is accessible from the internet, by specifying the Buttons External address. This is for the SSO provider to be able to redirect the user to your buttons server after logging in.
If this is missing the main SSO page will warn you