Secureframe supports three login methods:

• Email-based sign-in
• Single Sign-On (SSO)
• Social login (OAuth via Google or Microsoft)

Below’s a breakdown of what each method is and how to set it up.

Email-Based Sign-In

What it is: Basic login using your work email with either:

• A password
• A magic link sent to your inbox

How to set it up
No setup required. This method is enabled by default unless restricted by an admin.

Social Login (OAuth)

What it is: OAuth allows users to log in using Google or Microsoft credentials. This is often shown as “Sign in with Google” or “Sign in with Microsoft.”

How to set it up:

1. Go to the Integration tab on Secureframe as a Secureframe admin
2. Connect your  Google or Microsoft integration
   1. You must have appropriate permissions in the Google or Microsoft environment.

There is no additional cost to enable OAuth.

Single Sign-On (SSO)

What it is: SSO allows users to log in through a company-wide identity provider (IdP) like Okta, Azure AD, or Google Workspace using SAML. Users enter their email and are redirected to authenticate with your IdP. 

How to set it up

1. Go to Company Settings
2. Select the Single-Sign On tab
3. Claim your domain(s) (required for SSO setup)
4. Follow the guided configuration flow for your IdP

There is an additional cost to enabling SSO. 

Claiming a Domain

Why it matters: Claiming your domain is required to set up SSO and control how users with company emails log in to Secureframe.

How to do it:

1. Go to Company Settings
2. Select the Single Sign-On tab
3. Follow the instructions to claim and verify your domain(s)

What is SCIM, and How Does It Relate to SSO and OAuth?

SCIM (System for Cross-domain Identity Management) is a protocol that simplifies user lifecycle management by automating the creation, updating, and deactivation of user accounts across systems. When combined with SSO and OAuth, SCIM ensures that user access and permissions stay in sync with organizational changes, reducing manual effort and improving security.

Click here to learn more about SCIM and how to provision in your Secureframe instance.

If you have further questions or need assistance with domain claims, OAuth, SCIM or SSO setup, please contact our support team for guidance at support@secureframe.com

Common Error Responses

If you are currently seeing the “Needs admin approval” or "Approval required" message, please ask your admin to complete the reauthorization process and consent. This process may need to be carried out at either the global tenant level or the user level, depending on your tenant settings.

Below are Microsoft articles that provide detailed guidance on configuring consent settings:

• Managing User Consent to Apps in Microsoft 365
  https://learn.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide
• Grant Tenant-Wide Admin Consent to an Application
  https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal
• User and Admin Consent in Microsoft Entra ID
  https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview

Frequently Asked Questions (FAQ)

For cases where I truly need SSO to have more full control over login method, SAML, and centralized auth, why does SSO cost extra?

• This is a pass through cost from our vendor on a per-connection basis.
• You can use our free OAuth login options (Microsoft o365 and Google Workspace) if you just need basic login functionality. Consider purchasing SSO only if you need: Full control over login methods, SAML-based SSO setup, and or Centralized authentication management.
• Important note: Purchasing SSO is a single cost and will support multiple connections/integrations. 

What happens to non-domain users when a customer enables SSO, would they get locked out?

• No, they will not get locked out. Those non-domain users could still login with any other non-SSO method (google, password, magic link).
• Any auth restrictions set by the admin like not allowing google/password login, etc. apply only to domain users.

Is there a way to restrict users from signing in with a password, so they can only use OAuth or SSO?

• Yes, if you want to enforce sign-in exclusively via OAuth or SSO, you’ll need to claim your domain first. Once the domain is claimed, you can disable all other sign-in methods from the Company Settings – SSO Settings page.
  • Note: Before disabling other sign-in options, make sure your OAuth or SSO connection is fully configured and functioning correctly to prevent any access issues.