Configure SSO
Connect your identity provider so users sign in to Willow with their existing credentials. Willow supports eight providers: Okta, Azure AD, Google Workspace, Auth0, GitHub, Keycloak, JumpCloud, and ADFS.
Prerequisites
- An existing account with your chosen SSO provider (for example, an Okta organization, Azure AD tenant, or a Google Cloud project with OAuth configured)
- You are an admin in both Willow and your identity provider
- You know your Willow Gateway URL (shown in the app, or use
https://connect.mcp-s.com)
Callback URLs
When configuring your IdP, it will ask for a callback (redirect) URL. Willow shows the exact URL on screen while you configure each provider. The default pattern is:
| Provider | Callback URL |
|---|---|
{gatewayUrl}/api/auth/callback/google | |
| GitHub | {gatewayUrl}/api/auth/callback/github |
| Auth0 | {gatewayUrl}/api/auth/callback/auth0 |
| Okta | {gatewayUrl}/api/auth/callback/okta |
| Azure AD | {gatewayUrl}/api/auth/callback/azure-ad |
| Keycloak | {gatewayUrl}/api/auth/callback/keycloak |
| JumpCloud | {gatewayUrl}/api/auth/callback/jumpcloud |
| ADFS | {gatewayUrl}/api/auth/callback/adfs |
Select a provider
The Authentication Settings section in Admin → Settings contains an SSO Provider subsection. The Provider dropdown defaults to Default (Willow's built-in auth, no SSO). Select your provider from the dropdown and the relevant credential fields appear below.
Select your provider to continue:
Configure Okta
How to set up Okta as your Willow SSO provider using the Willow app in the Okta Integration Network.
Configure Azure AD
How to set up Microsoft Entra ID (Azure AD) as your Willow SSO provider.
Configure Google Workspace
How to set up Google Workspace as your Willow SSO provider.
Configure Auth0
How to set up Auth0 as your Willow SSO provider.
Configure GitHub
How to set up GitHub as your Willow SSO provider.
Configure Keycloak
How to set up Keycloak as your Willow SSO provider.
Configure JumpCloud
How to set up JumpCloud as your Willow SSO provider using a Custom OIDC App.
Configure ADFS
How to set up Active Directory Federation Services (ADFS) as your Willow SSO provider.
Enforce Admin SSO
The Enforce Admin SSO toggle appears in Authentication Settings after any SSO provider is saved. It is present on every provider's configuration screen, not just one.
When checked, the toggle disables Willow's other login methods — Google and GitHub social login (Willow's built-in Default auth) — so only SSO authentication through your configured provider remains. The toggle's on-screen description reads "Disable other login methods (Google, GitHub)."
Only enforce SSO after confirming that SSO works correctly for your entire team. Drawbacks to consider:
- Lockout risk: if your IdP becomes unavailable or your SSO configuration is misconfigured, no one can sign in until the issue is resolved on the IdP side
- No fallback: there is no override or backdoor — an admin with IdP access must fix the upstream issue
- SCIM dependency: if you also use SCIM provisioning, deactivated users in your IdP lose Willow access immediately, with no alternative login path
Test SSO login
After saving your SSO configuration:
- Open a private browser window
- Navigate to your Willow dashboard URL
- You should be redirected to your IdP to authenticate
- After authentication, you should land back in Willow
If the login fails, check that:
- The callback URL in your IdP matches exactly what Willow shows
- The Client ID, Client Secret, and Issuer (where applicable) are copied correctly
- Users have been assigned to the application in your IdP