When to Claim a Domain

For customers using Microsoft Office 365 or Google Workspace logins, claiming a domain is not required.

To enable these login options, you simply need to connect the integration with the appropriate permissions. There is no additional cost for connecting the integration and does not require domain verification.

However, a domain claim is necessary if you:

• Want to control login methods (e.g., email/password, magic link, or social login).
• Plan to set up a SAML connection for SSO, which is a paid feature.

Are Microsoft and Google Workspace Logins SSO?

No, Microsoft Office 365 and Google Workspace logins use OAuth, not SSO:

• OAuth (Open Authorization): Allows users to grant third-party applications access to certain data without sharing their credentials. OAuth through Google or Microsoft securely handles the exchange of permissions and data in order to provide a temporary access token for the user.
• SSO (Single Sign-On): A feature that allows users to authenticate once with an Identity Provider (IdP) and access multiple apps without re-entering credentials. The IdP issues a token that apps use to verify the user’s identity.

While OAuth simplifies the login process, it does not provide the seamless multi-app access experience that SSO does.

Difference between SSO and Social Sign-In

When customers inquire about claiming a domain or setting up SSO, they are often referencing the Authentication Settings in the Company Settings. This setting allows you to enable and manage login methods. However:

• The social sign-in options (e.g., Microsoft o365 and Google Workspace logins) available on the login page are based on OAuth, not SSO.
• Social sign-in does not require domain claim and is separate from a SAML-based SSO setup.

How to Set Up SSO (SAML)

To enable true SSO functionality:

1. Claim your domain through the Authentication Settings.
2. Configure the SAML connection with your Identity Provider (IdP).
3. This setup is a paid feature and requires additional configuration steps to align with your IdP.

What methods should I consider?

• Use Microsoft o365 and Google Workspace logins without domain claim or additional costs via OAuth. (No cost option)
• Claim a domain only if you need to control login methods or set up SAML-based SSO.
• Understand that social sign-in (OAuth) is not the same as SSO (Single Sign-On).

What is SCIM, and How Does It Relate to SSO and OAuth?

SCIM (System for Cross-domain Identity Management) is a protocol that simplifies user lifecycle management by automating the creation, updating, and deactivation of user accounts across systems. When combined with SSO and OAuth, SCIM ensures that user access and permissions stay in sync with organizational changes, reducing manual effort and improving security.

Click here to learn more about SCIM and how to provision in your Secureframe instance.

If you have further questions or need assistance with domain claims, OAuth, SCIM or SSO setup, please contact our support team for guidance at support@secureframe.com

Frequently Asked Questions (FAQ)

For cases where I truly need SSO to have more full control, why does this cost extra?

• This is a pass through cost from our vendor on a per-connection basis.

what happens to non-domain users when a customer enables SSO, would they get locked out?

• No, they will not get locked out. Those non-domain users could still login with any other non-SSO method (google, password, magic link).
• Any auth restrictions set by the admin like not allowing google/password login, etc. apply only to domain users.