> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getomni.co/llms.txt
> Use this file to discover all available pages before exploring further.
# Single Sign-On (SSO)
> Configure SSO for your Omni instance using Okta or Microsoft Entra ID
**Google OAuth** is supported in the community edition and does not require a commercial license. Configure it from **Settings** → **Authentication** in the admin panel.
**Okta** and **Microsoft Entra ID** SSO are **enterprise features**. They are free for evaluation with up to 10 users. For org-wide rollout, a commercial license is required — contact [hello@getomni.co](mailto:hello@getomni.co) for pricing.
## Overview
Omni supports Single Sign-On via Google OAuth (community), Okta, and Microsoft Entra ID. Once SSO is configured, you can optionally disable password-based authentication. All SSO provider configurations — including client secrets — are stored encrypted in the database and managed through the admin UI, not environment variables.
## Enterprise Prerequisites
* An Okta or Entra ID admin account with permission to create applications
* A commercial Omni license (or evaluation with fewer than 10 users)
* Omni deployment using the `omni-web-enterprise` Docker image
## Enable Enterprise SSO
### Step 1: Switch to the Enterprise Image
Replace the `omni-web` Docker image with `omni-web-enterprise` in your `docker-compose.yml`:
```yaml theme={null}
web:
image: ghcr.io/getomnico/omni-web-enterprise:${OMNI_VERSION:-latest}
```
Restart services after making this change. The enterprise image pulls in the Okta and Entra ID provider packages, which the community image falls back to `null` for.
### Step 2: Create an Okta Application
1. Log in to your Okta Admin Console
2. Go to **Applications** → **Create App Integration**
3. Select **OIDC - OpenID Connect** and **Web Application**
4. Configure the application:
* **App integration name**: Omni
* **Sign-in redirect URI**: `https:///auth/okta/callback`
* **Sign-out redirect URI**: `https://`
5. Under **Assignments**, assign the app to the users or groups who should have access
6. Save the application
7. Note the **Client ID** and **Client Secret** from the application settings
### Step 3: Configure Okta in Omni
1. Navigate to **Settings** → **Authentication** in the Omni admin panel
2. Under **Okta SSO**, enter:
* **Okta Domain**: Your Okta domain (e.g., `yourcompany.okta.com`)
* **Client ID**: From Step 2
* **Client Secret**: From Step 2
3. Click **Save**
SSO is now configured. Users will see a "Sign in with Okta" option on the login page.
## Microsoft Entra ID
Entra ID (formerly Azure AD) is configured the same way as Okta — register an application, add a client secret, and enter the tenant ID, client ID, and client secret in **Settings** → **Authentication** → **Microsoft Entra ID**.
### Step 1: Register an Enterprise Application in Entra ID
1. Sign in to the [Azure Portal](https://portal.azure.com) as a Global Administrator
2. Go to **Microsoft Entra ID** → **App registrations** → **New registration**
3. Set the name: **Omni SSO**
4. Supported account types: **Single tenant**
5. Redirect URI: **Web** → `https:///auth/entra/callback`
6. Click **Register**
7. Note the **Application (client) ID** and **Directory (tenant) ID**
### Step 2: Create a Client Secret
1. Go to **Certificates & secrets** → **New client secret**
2. Set an expiry period and click **Add**
3. Copy the secret value immediately — it will not be shown again
### Step 3: Configure Entra ID in Omni
1. Navigate to **Settings** → **Authentication**
2. Under **Microsoft Entra ID**, enter the **Tenant ID**, **Client ID**, and **Client Secret**
3. Click **Save**
## Disabling Password Authentication
Once at least one SSO provider is active, you can disable password-based login:
1. Navigate to **Settings** → **Authentication**
2. Toggle off **Password Authentication**
Before disabling password auth, ensure at least one admin has signed in via the other auth method (Google, Okta, or Entra ID). This prevents account lockout. Password auth cannot be disabled unless another authentication method is active.