Set Up Single Sign-On (SSO) for Your Organization
Single Sign-On (SSO) lets your team sign in to CubePath with your company's own identity provider: Okta, Microsoft Entra, Google Workspace, or any provider that supports OpenID Connect (OIDC). Instead of juggling separate CubePath passwords, your members log in with the same corporate account they already use, and you control who has access from your identity provider.
With SSO set up, new team members can be created automatically the first time they sign in, so you don't have to invite each person by hand.
Who can configure it
SSO is set up by an organization owner or admin. You'll find it in the dashboard at my.cubepath.com → Organization → SSO.
What you'll need
- An account with your identity provider (Okta, Microsoft Entra, Google Workspace, etc.) where you can create an OpenID Connect application.
- Ownership of your company email domain (for example
yourcompany.com). We verify this before turning on email-based login.
Step 1: Create an app in your identity provider
In your identity provider, create a new OpenID Connect (OIDC) application. When it asks for a redirect URI (sometimes called a callback or sign-in redirect URL), use the one shown on the CubePath SSO page. There's a copy button right next to it. It looks like this:
https://identity.cubepath.com/account/sso/callback
Your provider will then give you three values you'll need in the next step: an Issuer URL, a Client ID, and a Client secret.
Step 2: Fill in your SSO settings
Back in Organization → SSO, enter:
- Provider name: a label so your team recognizes it (for example "Okta" or "Microsoft Entra").
- Issuer URL: the OIDC issuer from your provider. Click Test connection to confirm CubePath can reach it before you save.
- Client ID: from the application you created.
- Client secret: from the application you created. (When you edit your settings later, leave this blank to keep the secret you already saved.)
Step 3: Choose how new members are added
Under Provisioning:
- Auto-create members on first login: when this is on, anyone from your verified domain who logs in through your provider is added to your organization automatically. When it's off, only people you've already invited can sign in via SSO.
- Default role for new members: the role auto-created members receive, either member, viewer, or billing. For security, SSO can never auto-assign the owner or admin role. You grant those manually from the Team page.
Step 4: Enable SSO and save
Turn on Enable SSO and click Save.
Step 5: Verify your email domain
For your team to log in just by typing their work email, CubePath needs to confirm you own that domain. You do this by adding a TXT record to your DNS and opening a support ticket so our team can check it. The full walkthrough is in Verify Your Email Domain for SSO. Until the domain is verified, the rest of your SSO configuration is saved, but login-by-email stays off. The SSO page shows whether your domain is verified. The verified domain itself is managed by CubePath support and can't be set by you, which prevents anyone from hijacking another company's logins.
How your team logs in
Once SSO is enabled and your domain is verified, your members go to the CubePath login page, enter their work email, and choose Continue with SSO. They're sent to your identity provider to authenticate and returned to CubePath already signed in, with no separate CubePath password needed.
A couple of things to expect:
- If someone already has a personal CubePath account with that email but isn't a member of your organization yet, they'll need to be invited from the Team page first.
- The email your provider returns must be on your verified domain.
Good to know
| Topic | Detail |
|---|---|
| Protocol | OpenID Connect (OIDC) |
| Configured by | Organization owner or admin |
| Roles SSO can assign | member, viewer, billing (never owner or admin) |
| Email domain | Verified by CubePath support via a support ticket |
| Without verification | Your settings are saved, but login-by-email stays off |