Single Sign-On (SSO)
Single sign-on lets users authenticate with an external identity provider instead of a Miabi password. Miabi supports OAuth 2.0 / OpenID Connect (OIDC) out of the box, with a built-in Google connector plus a generic OIDC option for any compliant provider.

Supported providers
| Provider | Protocol |
|---|---|
| OAuth 2.0 / OIDC (well-known discovery) | |
| Generic OIDC | OpenID Connect (any compliant IdP) |
There is no GitHub connector. GitHub is not an OIDC provider, so it is reachable neither as a built-in option nor through the generic OIDC path.
Configuring a provider
- Go to Administration → SSO.
- Choose a provider (Google or Generic OIDC).
- Enter the client ID and client secret from your identity provider.
- For generic OIDC, supply the issuer/discovery URL so Miabi can read the provider's endpoints.
- Register Miabi's callback URL (shown on the configuration page) with your provider.
- Save and test the connection.
The client secret is treated as a secret and is encrypted at rest.
Signing in with SSO
Once a provider is configured, users see a Sign in with… button on the login screen. Authenticating with the provider creates or links a Miabi account, and the user lands in their workspace.
SSO governs how users sign in. Their permissions inside a workspace are still determined by their role.
Community vs Enterprise
| Capability | Community | Enterprise |
|---|---|---|
| OAuth2 / OIDC providers | One provider | Multiple providers |
| SAML 2.0 | — | ✅ |
| Enforced SSO (disable password login) | — | ✅ |
| SCIM 2.0 user provisioning | — | ✅ |
The Community edition supports a single configured SSO provider. The Enterprise edition adds multiple simultaneous providers, SAML 2.0, enforced SSO, and SCIM 2.0 for automated user provisioning and deprovisioning. See Community vs Enterprise for the full comparison.
Pair SSO with Two-Factor Authentication at your identity provider for layered protection.