Table of contents
What is SSO?
Single sign-on (SSO) lets the people on your team log into Fugo using your organization's existing identity provider - the same login your company already uses for other business tools - instead of a separate Fugo-specific password.
SSO is aimed at teams that already manage logins centrally through an identity provider (IdP) like Okta, Azure AD (Entra ID), or Google Workspace, and want Fugo access to work the same way - one less password for your team to manage, and one more app your IT team can control through your existing IdP.
Where SSO lives in Fugo
SSO doesn't have its own page in the main navigation. It's configured from your account settings:
Open your account menu, then click Settings. In the Settings window, go to the Team section, then the Single sign-on tab.
If you haven't set anything up yet, you'll see an empty state: "Connect an identity provider to allow your team members to sign in using your organization's credentials," with a Set up SSO button to get started.
Supported protocols and identity providers
Fugo supports two industry-standard protocols for SSO. You'll pick one when you set up SSO - see Choose your protocol below.
SAML 2.0
A generic, standards-based option that works with Google Workspace, Okta, Azure AD (Entra ID), and other SAML 2.0-compliant identity providers. Because it's not tied to any one provider's setup flow, SAML is the more broadly compatible choice if your identity provider supports it.
OpenID Connect (OIDC)
An alternative, more modern protocol. Fugo's OIDC setup is built around Okta's way of structuring an OIDC connection specifically.
☝️ If you're planning to connect a non-Okta OIDC provider (such as Auth0 or a Google Workspace OIDC connection), reach out to support@fugo.ai first to confirm compatibility before you start configuring it, since Fugo's OIDC setup expects an Okta-style configuration today. If your provider supports SAML 2.0 as well, that's the safer default choice for non-Okta identity providers.
You can only have one identity provider connected at a time. Fugo doesn't currently support configuring multiple SSO providers on the same account.
Setting up SSO
Setting up SSO means configuring both sides of a trust relationship: you'll fill in some information from your identity provider into Fugo, and copy some Fugo-generated values back into your identity provider. Have your identity provider's admin console open alongside Fugo's settings while you do this.
Choose your protocol
Click Set up SSO, then choose SAML 2.0 or OpenID Connect as your protocol. Remember that you can only have one active at a time, so pick whichever matches your identity provider (see Supported protocols and identity providers above if you're not sure which to choose).
SAML 2.0 configuration
If you choose SAML 2.0, you'll fill in the following, all sourced from your identity provider's SAML app configuration:
Identity provider name
A label for your own reference (for example, "Okta IDP") - this doesn't need to match anything in your identity provider, it's just how you'll recognize this configuration in Fugo.
Sign-in URL
The URL for your identity provider that Fugo sends sign-in requests to.
Sign-out URL
The URL for your identity provider that Fugo sends sign-out requests to.
Domains
The email domain(s) for your organization (for example, "yourcompany.com"). Fugo uses this to determine which users should be routed to your identity provider when they enter their email address on Fugo's sign-in screen.
Certificate
The X.509 certificate from your identity provider, used to verify that sign-in responses genuinely came from your IdP. Paste the full certificate block - Fugo strips the surrounding "BEGIN CERTIFICATE"/"END CERTIFICATE" lines automatically.
Signature algorithm
Choose RSA_SHA1, RSA_SHA256 (the default), or RSA_SHA512, matching whichever your identity provider is configured to use. If your identity provider requires a different algorithm, contact support@fugo.ai.
Once you save, Fugo shows you a Redirect URL (ACS) and an Entity ID. Copy these into your identity provider's SAML app configuration to complete the connection from its side.
OpenID Connect configuration
If you choose OpenID Connect, you'll fill in:
Identity provider name
A label for your own reference, same as with SAML.
Domains
Your organization's email domain(s), comma-separated if you have more than one — used the same way as the SAML Domains field, to route matching users to your identity provider at sign-in.
Client ID
The client ID for the OIDC application you've set up in your identity provider.
Client secret
The client secret for that same OIDC application. If you're editing an existing configuration, this field shows as masked — leave it as-is to keep your existing secret, and only enter a new value if you're actually rotating it.
Identity provider domain
Your identity provider's domain (for example, "your-org.okta.com"). Fugo uses this to build the rest of the connection details automatically.
Once you save, Fugo shows you a Redirect URL (callback) — copy this into your identity provider's OIDC application configuration.
Editing or removing your configuration
Once configured, your SSO setup appears as a summary card showing an Active badge, your chosen protocol, provider name, and domains, with Edit and Delete actions.
Deleting your configuration shows a confirmation warning: "Users will no longer be able to sign in through your identity provider. This action cannot be undone." Make sure your team has another way to access Fugo (or an updated configuration ready to go) before removing an active SSO connection.
Permissions and plan requirements
SSO is available on Fugo's Enterprise plan. If your account is on a different plan, the Single sign-on tab will show an upgrade prompt instead of the setup flow.
Only Tenant Admins can view or edit SSO settings - unlike some other settings areas, SSO access isn't something a Tenant Admin can delegate to a custom role. If you need SSO configured and don't have Tenant Admin access yourself, ask someone on your team who does.
How SSO affects new users
The first time someone signs in through your identity provider, Fugo automatically creates their account - nobody needs to manually add them in Fugo first.
From there, that person's access is governed by Fugo's usual Roles & Spaces system, the same as anyone else on your team.
If you want to fine-tune exactly what role or space a new SSO user lands in, reach out to support@fugo.ai - we can help you get that set up correctly for your organization.
Good to know
Only one identity provider at a time. If you need to switch providers, you'll need to remove your existing configuration and set up the new one.
SSO doesn't currently block password sign-in on its own. There's no in-app control to require SSO for every sign-in across your organization. If enforcing SSO org-wide matters for your team, reach out to support@fugo.ai to talk through your options.
Double-check OIDC compatibility before you start if you're not using Okta - see OpenID Connect above.
Need more help?
Setting up SSO touches both Fugo and your identity provider, so if anything doesn't behave as expected, we're glad to help troubleshoot. Reach out via the support chat inside the Fugo CMS, or email us at support@fugo.ai.
