Single Sign-On (SSO)¶
Enterprise plan organisations can configure SAML 2.0 SSO so their team signs in through a company identity provider (IdP) instead of a ChillCheck password.
Supported providers include Microsoft Entra ID (formerly Azure AD), Google Workspace, Okta, and any other SAML 2.0-compliant IdP.
How it works¶
- Your IT admin registers ChillCheck as a SAML application in your identity provider.
- You configure SSO in ChillCheck using your IdP's metadata URL.
- When a user with your email domain visits the ChillCheck login page, they are automatically redirected to your IdP to authenticate.
- After authenticating with your IdP, they are returned to ChillCheck and signed in.
Access control remains under your IdP — remove a user from the ChillCheck group in your IdP to revoke their access on their next login attempt.
Setup¶
Step 1 — Get the ChillCheck SP details¶
Go to Settings → Organisation → Single Sign-On and click Configure SSO. After setup, you will see:
| Detail | Value |
|---|---|
| ACS URL (Reply URL) | https://auth.chillcheck.online/auth/v1/sso/saml/acs |
| SP Entity ID | https://auth.chillcheck.online/auth/v1/sso/saml/metadata |
You need these two values to configure your IdP.
Step 2 — Configure your identity provider¶
- In the Azure Portal, go to Azure Active Directory → Enterprise applications → New application → Create your own application.
- Name it "ChillCheck" and select Integrate any other application you don't find in the gallery (Non-gallery).
- Go to Single sign-on → SAML.
- Set Identifier (Entity ID) to the SP Entity ID shown in ChillCheck.
- Set Reply URL (ACS URL) to the ACS URL shown in ChillCheck.
- Save. Copy the App Federation Metadata URL from the SAML Signing Certificate section.
- In Google Admin Console, go to Apps → Web and mobile apps → Add app → Add custom SAML app.
- Name it "ChillCheck" and click Continue.
- On the Google IdP Information screen, download the metadata XML file and host it at a public HTTPS URL, or note the SSO URL and Certificate for manual setup.
- Set ACS URL to the ACS URL shown in ChillCheck.
- Set Entity ID to the SP Entity ID shown in ChillCheck.
- Save. Use the metadata URL from step 3 in ChillCheck.
- In the Okta Admin Console, go to Applications → Create App Integration → SAML 2.0.
- Set Single sign-on URL to the ACS URL shown in ChillCheck.
- Set Audience URI (SP Entity ID) to the SP Entity ID shown in ChillCheck.
- Save. From the app's Sign On tab, copy the Metadata URL.
Step 3 — Configure SSO in ChillCheck¶
In Settings → Organisation → Single Sign-On:
- Click Configure SSO.
- Paste your IDP Metadata URL — this is the URL you copied from your identity provider (e.g. the App Federation Metadata URL from Entra ID).
- Enter your email domain (e.g.
acme.com). Users with this email domain will be redirected to your IdP at login. - Click Enable SSO.
ChillCheck will fetch and register your IdP metadata. SSO is now active.
Signing in with SSO¶
Users visit app.chillcheck.online/login as normal. When they enter their email address with your configured domain (e.g. alice@acme.com) and leave the field, the page detects SSO is available and replaces the password field with a Continue with SSO button. Clicking it redirects to your IdP.
Users who already have ChillCheck accounts (invited before SSO was configured) will continue to work — their existing account is matched by email address.
Removing SSO¶
In Settings → Organisation → Single Sign-On, click Remove next to the active configuration. Users will fall back to password-based login. Existing Supabase passwords are retained; users who never set a password will need to use Forgot password to set one.
Access control¶
SSO handles authentication (who can log in) — authorisation (what they can do) is still managed within ChillCheck:
- Users still need to be invited to your ChillCheck organisation. SSO does not auto-provision access for every person in your IdP.
- Role assignment (owner / admin / member) is done in Settings → Team.
- To revoke a user's access, remove them in Settings → Team → Remove, or deactivate their ChillCheck profile.
Removing a user from your IdP's ChillCheck group will prevent future logins but does not immediately sign them out of active sessions.
Troubleshooting¶
"No SSO configured for this domain" — Check that the email domain you entered in ChillCheck exactly matches the domain in the user's email address (e.g. acme.com not mail.acme.com).
SAML assertion errors from your IdP — Verify the ACS URL and SP Entity ID in your IdP match the values shown in ChillCheck Settings exactly. A trailing slash or incorrect capitalisation will cause failures.
"Metadata URL unreachable" — The IDP metadata URL must be publicly accessible over HTTPS. Some IdPs require the URL to be enabled separately (e.g. Entra ID requires the Federation Metadata endpoint to be public).
For further help, contact support@chillcheck.online.