SSO functionality is available on the Enterprise plan.
Supported Protocols
- OIDC (OpenID Connect)
- SAML 2.0
- Token-based JWT
Supported Flows
SP-Initiated Flow
Users start at Tightknit and authenticate via your IdP:
- User navigates to Tightknit login page
- User clicks โSign in with [Your Company]โ
- User authenticates at your IdP
- User is redirected back to Tightknit and logged in
IdP-Initiated Flow
Users start at your IdP portal and land on Tightknit already authenticated:
- User logs into your IdP portal
- User clicks a link within the IdP portal pointing to the Tightknit community site
- IdP redirects the user to Tightknit with a signed token
- User lands on Tightknit already logged in
IdP-initiated SSO requires Token-based JWT configuration. Please contact
support to enable this feature.
OIDC Setup
Contact [email protected] with:
- Your company name
- Your email domain (e.g.,
acme.com)
- Your identity provider (Google Workspace, Okta, Azure AD, Auth0, etc.)
- Display name for the login button (e.g., โAcme Corpโ)
We will provision your SSO configuration and send you:
- Your Redirect URI to configure in your IdP
- Any additional setup instructions
Step 2: Create Application in Your IdP
- Log into your IdP admin console
- Create a new Web Application or OIDC Client
- Name the application
Tightknit
- Set the Redirect URI to the URL provided by Tightknit
- Set required scopes:
openid, email, profile
- Enable PKCE if available
Step 3: Send Credentials to Tightknit
Send Tightknit support the following information:
| Field | Description |
|---|
| Client ID | From your IdP application |
| Client Secret | From your IdP application |
| Issuer URL | Your IdPโs issuer (see provider guides below) |
| Discovery URL | OIDC discovery endpoint (optional) |
Step 4: Test SSO
Once configured, test the integration:
- Navigate to your Tightknit login page
- Click โContinue with [Your Company]โ
- Authenticate at your IdP
- Verify you are redirected back and logged in
SAML Setup
Contact [email protected] requesting SAML SSO setup. We will send you:
- Service Provider (SP) metadata URL
- ACS URL and Entity ID
- Create a SAML application in your IdP
- Upload or paste the SP metadata provided by Tightknit
- Configure attribute mappings:
nameID or email (required)displayName or name (optional)firstName, lastName (optional)
Send Tightknit support the following information:
- IdP metadata XML (preferred)
- Or manually: Entry point URL, Certificate, Issuer
Token-Based SSO
For custom integrations where your system authenticates users and redirects them to Tightknit with a signed JWT. This enables IdP-initiated flows.
How It Works
- Your system authenticates the user
- You generate a signed JWT with user claims
- You redirect the user to Tightknit with the token
- Tightknit validates the token and creates a session
Contact [email protected] with the following information:
| Field | Description |
|---|
| Issuer | Your token issuer URL |
| Audience | Expected audience claim |
| Algorithm | RS256 or ES256 |
| JWKS URL | URL to your public keys (preferred) |
| Public Key | PEM-encoded key (if not using JWKS) |
| Target URL | Your Tightknit community URL |
| Login URL | Your organizationโs login URL |
- GET redirect with query param:
token or sso_token or id_token
- POST request:
- Content-Type:
application/x-www-form-urlencoded or multipart/form-data
- Form data contains key:
token or sso_token or id_token
JWT Requirements
Your signed JWT must include these claims:
| Claim | Required | Description |
|---|
email | Yes | Userโs email address |
exp | Yes | Expiration timestamp |
iat | Yes | Issued-at timestamp |
iss | Yes | Issuer (must match configured value) |
aud | Yes | Audience (must match configured value) |
jti | No | Unique token ID for replay protection |
The returnTo Parameter
Tightknit uses the returnTo parameter to preserve the userโs original URL after authentication.
For example, if the user was on the /dashboard page before authentication, the returnTo parameter will have the value /dashboard.
{callback-url}?returnTo=/dashboard
The returnTo parameter must be a relative path starting with /. Absolute
URLs are rejected for security.
Provider-Specific Guides
Google Workspace
- Go to Google Cloud Console > APIs & Credentials
- Create OAuth 2.0 Client ID (Web application)
- Set the redirect URI provided by Tightknit
- Endpoints to share with Tightknit:
- Issuer:
https://accounts.google.com
- Discovery:
https://accounts.google.com/.well-known/openid-configuration
Microsoft Azure AD
- Go to Azure Portal > App registrations
- Create new registration (Web application)
- Set the redirect URI provided by Tightknit
- Create a client secret under Certificates & secrets
- Endpoints to share with Tightknit:
- Issuer:
https://login.microsoftonline.com/{tenant-id}/v2.0
- Discovery:
https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration
- Go to Okta Admin Console > Applications
- Create App Integration > OIDC > Web Application
- Set the redirect URI provided by Tightknit
- Endpoints to share with Tightknit:
- Issuer:
https://your-org.okta.com
- Discovery:
https://your-org.okta.com/.well-known/openid-configuration
- Go to Auth0 Dashboard > Applications
- Create Application > Regular Web Application
- Set the callback URL provided by Tightknit
- Endpoints to share with Tightknit:
- Issuer:
https://your-tenant.auth0.com/
- Discovery:
https://your-tenant.auth0.com/.well-known/openid-configuration
Security Best Practices
For Administrators
- Restrict redirect URIs - Only allow the exact Tightknit callback URL
- Enable MFA - Require multi-factor authentication at your IdP
- Audit SSO access - Review SSO login logs regularly
- Rotate secrets - Change client secrets periodically
For Token-Based SSO
- Use short-lived tokens - Set
exp to 5 minutes or less
- Include
jti claims - Enable replay protection
- Use JWKS - Prefer dynamic key management over static keys
- Use HTTPS - All SSO endpoints require secure connections
Troubleshooting
โProvider not foundโ error
The SSO provider is not configured. Contact [email protected].
โInvalid redirect URIโ error
The redirect URI in your IdP doesnโt match. Verify it exactly matches the URL provided by Tightknit during setup.
โAuthentication failedโ error
- Verify client ID and secret are correct
- Check IdP is accessible from the internet
- Ensure required scopes are granted
โNo profile foundโ error
The userโs email doesnโt match any existing profile in your Tightknit tenant. Users must have a profile before they can sign in via SSO.
Token SSO errors
| Error | Cause | Fix |
|---|
invalid_token | JWT signature verification failed | Check public key/JWKS configuration |
token_expired | JWT exp claim is in the past | Issue a new token with valid expiration |
invalid_issuer | iss claim doesnโt match configuration | Verify issuer matches exactly |
invalid_audience | aud claim doesnโt match configuration | Verify audience matches exactly |
Getting Help
For SSO setup assistance, contact [email protected] with:
- Your identity provider type
- Your company email domain
- Error messages or screenshots (if troubleshooting)
