Single Sign-On (SSO) allows users to log in to Lemontaps using their existing company credentials — no need to create or manage a separate password. When accessing Lemontaps, users are redirected to their identity provider (e.g. Entra ID - formerly Azure AD, or Okta) for authentication. Once verified, they're automatically signed in.
TABLE OF CONTENTS
SSO Setup Overview
1. Verify the relevant set of email domains
Each SSO configuration in Lemontaps is tied to a list of approved email domains. Before setting up SSO, you’ll need to verify the relevant domains for your organization. You can verify your domains here. Learn more about managing email domains.
2. Configure your Identity Provider (IdP) for SSO
To configure your identity provider, go to Team Settings > Identity Provider. For a detailed overview and setup instructions, see our Identity Provider guide.
3. Configure Lemontaps for SSO
We've put together a general setup guide with visuals and helpful tips to walk you through the SSO configuration process. For platform-specific instructions, please follow our dedicated guides for Okta and Microsoft Entra ID below. For other Identity Providers, please review the General SSO Setup Guide.
4. Test SSO
5. Enable SSO
Entra ID Setup Guide
We support a native SSO integration with Entra ID (formerly Azure AD) utilizing OIDC-based authentication. OIDC is built on top of OAuth 2.0 and requires only little configuration.
If you require SAML-based authentication, e.g. for compliance reasons, please choose "Other" as your identity provider in Lemontaps (in step 2 above). You will then be able to set up SAML 2.0-based authentication. Setting up SSO via SAML requires more manual configurations and is therefore more prone to errors.
Steps for setting up SSO with Entra ID:
- Configure the App registration in Entra ID
If you plan to set up user provisioning via SCIM later on, follow this guide:
Registration with SCIM Guide Entra ID →
Otherwise, follow this guide:
Registration Guide Entra ID → - Configure SSO using this guide:
SSO Configuration Entra ID → - [optional] Check your Entra ID settings against this reference:
Entra ID Settings → - Test your setup to verify that everything works fine:
Test Setup →
Okta Setup Guide
We support two SSO connection strategies: OIDC-based authentication and SAML 2.0-based authentication.
OIDC is built on top of OAuth 2.0 and requires only little configuration.
Choose SAML 2.0-based authentication if you plan to set up user provisioning via SCIM. Okta only allows this for SAML-based applications.
Choose OIDC-based authentication if you do not plan to set up user provisioning. OIDC-based authentication requires less configuration steps and is therefore less prone to errors and requires less debugging.
Steps for setting up SSO with Okta:
- Configure the integration in Okta
SAML 2.0 Guide:
Okta Integration SAML 2.0 →
OIDC Guide:
Okta Integration OIDC → - Test your setup to verify that everything works fine:
Test Setup →
How to Test
While following the steps in the setup wizard, you are prompted to test the connection. This tests the connection between the identity provider and Lemontaps. However, it does not test for the required claims to be present.
To test SSO and whether the required claims are set up correctly, you will find a "Test' button on the SSO settings card within the identity provider settings in Lemontaps.
Follow the instructions there to test the SSO connection.
We recommend doing this before logging out and back into your account.
How to manage email domains for an existing configuration
You can read the following guide if you want to know how to manage your email domains for an existing configuration:
Domain management guide →
After-Setup Checklist
After following the configuration steps, you should test against the following checklist. If everything is ready, you can log out of your account and log back in to migrate to the SSO identity.
- You followed the setup guide and made all the configurations in both the IdP and Lemontaps
- All relevant email domains are connected to the SSO configuration
- You have tested the SSO integration successfully using this guide:
SSO integration test → - The two required claims email and email_verified are set up correctly. This is automatically configured for native OIDC-based integrations with Entra ID and Okta. For SAML-based authentication, and for custom OIDC-based authentication, these claims must be manually configured. You can test this using the testing guide above.
- [Entra ID only] settings checklist: Entra ID settings checklist →
- If the configuration included resources with an expiration date, make sure to configure reminders to renew these resources on time.
E.g. for native OIDC-based SSO with Entra ID you must provide a secret value which expires after a set period of time.
If any part is still missing, we recommend to disable SSO until the configuration is ready.
Adding a new email domain
You can choose to add more email domains at any time. Follow these steps:
- Set up and verify the new email domain: Domain setup →
- Add the new email domain to your SSO configuration: Domain to SSO →
FAQ
Why do I need to configure email domains?
There are several reasons for this. First of all, when opening the Lemontaps login page, the domain part of the email address determines which identity provider to forward the authentication request to. The main reason however is enhanced security. Configuring trusted email domains restricts access to users from specified domains, thereby reducing the risk of unauthorized access. It also allows users from these domains to seamlessly access Lemontaps without going through further email verification processes.
Which email domains should I verify?
You have to verify all those email domains that users in your organization will want to log in with. If you have a set of users with emails person1@company.com and person2@subcompany.com who should later all access Lemontaps, then you will need to verify both "company.com" and "subcompany.com".
How do I disable SSO?
Guide - Disabling SSO →
How do I enable SSO?
On the SSO settings card inside the identity provider settings within Lemontaps, find the button that says "Enable and Enforce SSO".
Afterwards, SSO will then be enforced for each user logging in with one of the configured email domains. Make sure that the configuration has been tested.
What happens after my secret has expired?
Certain OIDC-based integrations require a secret to be provided. If this secret has an expiration date within your IdP (e.g. in Entra ID, all secrets can have a maximum lifetime of 2 years) it is your responsibility to renew the secret before its expiration. If you fail to do so on time, your users won't be able to log in any more.
Our SSO secret is expired and we lost access to our application. How can we recover it?
Guide - SSO recovery →
Can I test SSO but not enable it?
Yes you can choose to not enable the connection by closing the setup wizard instead of clicking on "Enable Connection" in the very last step. You can then test the connection as often as you want from within the Lemontaps SSO settings card.
You can also disable SSO if no user has logged in with SSO yet.
Can there be users outside of my team using an email domain I configured for SSO?
No. Once you configured an email domain for SSO all users across Lemontaps must authenticate using your SSO configuration. There can therefore not be any users outside of your team as they won't be able to log in any more. Please import these users into your team and enable automatic account claiming in the email domain settings. Otherwise, these users will not be able to log into their account any more.
Can I renew or update some configuration (e.g. the client secret) by providing a self-service ticket URL to my IT department?
Yes. Simply click on the three-dots-menu within the SSO settings card and choose "Generate Self-Service Ticket URL".
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article