OAuth Single Sign-On

Available on Professional and Enterprise

Estimated reading time: 7 minutes

OAuth SSO lets your team sign in to clariBI using accounts they already have with Google or Facebook — no extra password to remember and no separate user list to manage. Professional and Enterprise plans can also configure organization-wide SSO with Google Workspace, Microsoft Entra ID, Okta, and other OAuth2/OIDC providers.

Overview

clariBI supports two levels of OAuth sign-in:

  • Social sign-in (all plans): Users can sign in or sign up with their Google or Facebook account directly from the login page. No admin configuration required.
  • Organization SSO (Professional+): Owners and Administrators can configure organization-wide OAuth2/OIDC providers such as Google Workspace, Microsoft Entra ID (Azure AD), Okta, or Ping Identity from Settings > Security.

If you need a fully enterprise-grade identity flow with SAML 2.0 and IdP-initiated login, see SAML SSO. If you want a second factor on top of password login, see Multi-Factor Authentication.

Social sign-in providers (all plans)

Google
Google Workspace and personal accounts
Facebook
Personal Facebook accounts

Organization SSO providers (Professional+)

Google Workspace
Managed Google Workspace tenants
Microsoft Entra ID
Azure AD / Microsoft 365
Okta
Okta identity platform
Ping Identity
PingFederate and PingOne

You can also configure any provider that supports the OAuth2/OIDC standard using the generic OAuth2 option.

Enable organization SSO

1

Sign in to clariBI as an Owner or Administrator and open Settings.

2

Go to the Security tab.

3

Open the SSO Providers section.

4

Toggle on the providers you want to enable. Users will see the matching "Sign in with..." button on the login screen the next time they visit.

Provider-specific notes

Google / Google Workspace

Social sign-in with Google works for both Workspace tenants and individual Google accounts. When a user clicks Sign in with Google, clariBI requests their basic profile (name and email) and nothing else - no access to Gmail, Drive, or Calendar. For organization SSO, configure Google Workspace in Settings > Security > SSO Providers to restrict sign-in to your managed domain.

Facebook

Social sign-in with Facebook uses the user's primary email and profile name. The flow is identical to Google: click the button, approve the consent screen, and get signed in.

Microsoft Entra ID (Azure AD)

Available as an organization SSO provider on Professional+ plans. clariBI requests profile and email scopes only. Configure your Entra ID tenant in Settings > Security > SSO Providers.

Okta

Available as an organization SSO provider on Professional+ plans. Configure your Okta tenant in Settings > Security > SSO Providers using the OAuth2/OIDC connection type.

Ping Identity

Available as an organization SSO provider on Professional+ plans. Configure PingFederate or PingOne in Settings > Security > SSO Providers.

Just-in-time provisioning

The first time a user signs in via any OAuth provider, clariBI creates their account automatically using the provider's profile (email and name). They are added with the default Member role. An Owner or Administrator can later change their role in Roles & Permissions.

If a user with the same email already exists, clariBI links the OAuth identity to that existing account on first sign-in. The user keeps all of their existing dashboards, reports, and permissions.

Removing OAuth access

To disable a provider for your whole organization, return to Settings > Security > SSO Providers and toggle it off. Users who previously signed in via that provider will need to use a different sign-in method on their next visit. Their accounts and content are not deleted.

To remove a single user, delete them from Settings > Team. This revokes their access regardless of which sign-in method they used.

Troubleshooting

  • "Wrong tenant" error on Microsoft Entra ID - the user's account belongs to a different Entra ID tenant than the one configured. Have them sign in with the correct work account.
  • Email domain mismatch - if your organization restricts which email domains can join, users with personal addresses will be rejected. Add their domain to the allow list or invite them manually.
  • Wrong role after first login - new OAuth users always start as Members. An Owner or Administrator can change their role in Settings > Organization > Team Members.
  • "This account already exists" - the user's email is already attached to a different identity. Sign in once with the original method, then link the new provider from Settings > Profile.

Related

Ready to try clariBI?

Start your free 14-day trial. No credit card required.

Start Free Trial View Pricing