Skip to main content

Configure SSO

Connect your identity provider so users sign in to Willow with their existing credentials. Willow supports eight providers: Okta, Azure AD, Google Workspace, Auth0, GitHub, Keycloak, JumpCloud, and ADFS.

Prerequisites

  • An existing account with your chosen SSO provider (for example, an Okta organization, Azure AD tenant, or a Google Cloud project with OAuth configured)
  • You are an admin in both Willow and your identity provider
  • You know your Willow Gateway URL (shown in the app, or use https://connect.mcp-s.com)

Callback URLs

When configuring your IdP, it will ask for a callback (redirect) URL. Willow shows the exact URL on screen while you configure each provider. The default pattern is:

ProviderCallback URL
Google{gatewayUrl}/api/auth/callback/google
GitHub{gatewayUrl}/api/auth/callback/github
Auth0{gatewayUrl}/api/auth/callback/auth0
Okta{gatewayUrl}/api/auth/callback/okta
Azure AD{gatewayUrl}/api/auth/callback/azure-ad
Keycloak{gatewayUrl}/api/auth/callback/keycloak
JumpCloud{gatewayUrl}/api/auth/callback/jumpcloud
ADFS{gatewayUrl}/api/auth/callback/adfs

Select a provider

The Authentication Settings section in Admin → Settings contains an SSO Provider subsection. The Provider dropdown defaults to Default (Willow's built-in auth, no SSO). Select your provider from the dropdown and the relevant credential fields appear below.

Select your provider to continue:

Enforce Admin SSO

The Enforce Admin SSO toggle appears in Authentication Settings after any SSO provider is saved. It is present on every provider's configuration screen, not just one.

When checked, the toggle disables Willow's other login methods — Google and GitHub social login (Willow's built-in Default auth) — so only SSO authentication through your configured provider remains. The toggle's on-screen description reads "Disable other login methods (Google, GitHub)."

Only enforce SSO after confirming that SSO works correctly for your entire team. Drawbacks to consider:

  • Lockout risk: if your IdP becomes unavailable or your SSO configuration is misconfigured, no one can sign in until the issue is resolved on the IdP side
  • No fallback: there is no override or backdoor — an admin with IdP access must fix the upstream issue
  • SCIM dependency: if you also use SCIM provisioning, deactivated users in your IdP lose Willow access immediately, with no alternative login path

Test SSO login

After saving your SSO configuration:

  1. Open a private browser window
  2. Navigate to your Willow dashboard URL
  3. You should be redirected to your IdP to authenticate
  4. After authentication, you should land back in Willow

If the login fails, check that:

  • The callback URL in your IdP matches exactly what Willow shows
  • The Client ID, Client Secret, and Issuer (where applicable) are copied correctly
  • Users have been assigned to the application in your IdP