SSO & provisioning
Single sign-on (SSO) lets the members of your organization sign in to Bird through your company's own identity provider — Okta, Microsoft Entra ID, Google Workspace, or any other system that speaks SAML 2.0 or OIDC — instead of managing a separate Bird password. SSO is an enterprise capability and is set up per organization; it is being rolled out and is not yet self-serve in the dashboard, so talk to your Bird account team to get it enabled for your organization.
This is different from signing in with a personal Google or GitHub account, which any individual user can do — see Login, password & MFA. SSO is configured once by an organization admin and applies to everyone whose email belongs to your company's domain.
How it works, in plain terms
Your organization connects its identity provider (IdP) to Bird, covering one or more verified email domains (say, yourcompany.com). Once the connection is active, anyone with an email address on those domains can sign in to Bird by authenticating with your company login — the same screen they use for everything else at work. Bird links each person to a stable identity from your IdP, not to their email address, so a name or email change on your side doesn't break their Bird account.
What setup involves
Setup is done by an organization admin working with your identity-provider admin (often the same team):
- Prove you own the domain. Bird gives you a DNS record to publish for each email domain the connection will cover. Enforcement can't be turned on until the domain is verified.
- Exchange configuration with your IdP. Your IdP admin creates a Bird app in your identity provider and provides the usual details — for SAML, the metadata or sign-in URL and signing certificate; for OIDC, the issuer and client credentials. Bird provides its side (the service-provider details) for your IdP admin to paste in.
- Test before turning it on. Connections support a test mode, so you can verify a sign-in end to end before any member is affected.
- Choose an enforcement level. SSO can be optional (members may use SSO or their password) or required (members on the covered domains must use SSO). Even with SSO required, organization owners can always sign in with password and MFA — a deliberate break-glass path so an identity-provider outage never locks you out of your own organization.
What changes for your team
Once SSO is on, members on the covered domains pick the SSO option at the Bird login and are sent through your company login. New employees can be provisioned just in time: the first time they sign in through your IdP, a Bird account is created for them and joined to your organization — no invitation email needed. What they can do inside Bird is still governed by their Bird role; see Users, teams & roles.
Day to day, that means joiners get access through your IdP, and leavers lose access when you disable them there — your identity provider becomes the front door. Automatic directory sync (SCIM) — pushing user creation, updates, and deactivation from your IdP into Bird without anyone signing in — is planned as a follow-on and isn't part of the initial SSO offering.
Related
- Login, password & MFA — individual account security, including personal Google/GitHub sign-in
- Users, teams & roles — how roles and permissions work once members are in
- Authentication & API keys — the developer-facing authentication reference