OIDC SSO (Dashboard Login)
OIDC Single Sign-On lets your team sign in to the StatusPage.me dashboard using your company’s existing identity provider (IdP) — Okta, Azure AD, Keycloak, Auth0, or any OIDC-compliant provider. Employees use the same corporate credentials they already have. No separate passwords, no manual account creation.
Note: This article covers SSO for dashboard login (team access to StatusPage.me itself). If you want to restrict who can view a private status page, see Private Status Pages or OIDC for Private Pages instead.
Unlike SAML SSO, OIDC SSO is self-service — you can configure it entirely from your account settings without contacting support.
Supported Providers
OIDC SSO works with any standard OpenID Connect identity provider, including:
- Okta
- Microsoft Azure AD / Entra ID (via OIDC)
- Google Workspace
- Auth0
- Keycloak
- Ping Identity
- OneLogin
- Any generic OIDC-compliant provider
How It Works
Once configured, the login flow is:
- A team member visits the StatusPage.me login page
- They click Sign in with company SSO and enter their work email (e.g.
alice@acme.com) - StatusPage.me extracts the domain (
acme.com), matches it to your configuration, and redirects the user to your IdP’s login screen - After successful authentication at your IdP, they are returned to StatusPage.me and signed in
New users who authenticate via OIDC SSO have a StatusPage.me account created automatically on first login. You can then invite them to your team so they can manage your shared status pages.
Returning users simply sign in — the OIDC identity is linked to their existing account.
Prerequisites
- A StatusPage.me plan that includes OIDC SSO (see pricing for plan details)
- Admin access to your identity provider to create an OAuth 2.0 / OIDC application
- At least one verified email domain you want to associate with this SSO configuration
Step 1 — Create an Application in Your Identity Provider
In your identity provider, create a new Web application (OAuth 2.0 / OIDC). The exact steps vary by provider — see the provider-specific notes below.
Set the redirect URI to:
https://statuspage.me/oauth/oidc-tenant/callback
If using a custom domain for your dashboard, use that domain instead.
After creating the application, collect:
- Issuer URL — the base URL of your identity provider
- Client ID
- Client Secret
Provider-specific notes
| Provider | Issuer URL | Notes |
|---|---|---|
| Okta | https://your-org.okta.com | Use the Okta domain (not the admin URL) |
| Auth0 | https://your-tenant.auth0.com | Use the tenant domain |
| Keycloak | https://your-host/realms/your-realm | Include the realm in the path |
| Azure AD (OIDC) | https://login.microsoftonline.com/{tenant-id}/v2.0 | Use the v2.0 endpoint |
| Google Workspace | Uses Google’s OIDC endpoint automatically | Configure the Hosted Domain field to restrict to your org |
Step 2 — Configure in StatusPage.me
- Go to Account Settings → SSO Settings
- Click Add Provider
- Fill in the fields:
| Field | Description |
|---|---|
| Display Name | A human-readable label (e.g. “Acme Corp Okta”) shown to your team |
| Issuer URL | The base URL of your IdP — StatusPage.me auto-discovers endpoints from this |
| Client ID | From the application you created in Step 1 |
| Client Secret | From the application you created in Step 1 (encrypted at rest) |
| Allowed Email Domains | Comma-separated list of email domains that can use this provider (e.g. acme.com, acme.io) |
| Hosted Domain (optional) | Restrict to a specific Google Workspace domain via the hd claim |
| Enabled | Toggle the configuration on or off without deleting |
- Click Add Provider
You can configure multiple OIDC providers if your organization uses different IdPs for different email domains.
Step 3 — Test the Flow
- Open your StatusPage.me login page in a private/incognito browser window
- Click Sign in with company SSO
- Enter your work email (matching one of the allowed domains you configured)
- Complete the login at your identity provider
- After authentication, you should land on your dashboard
If successful, you can now share the login flow with your team:
“Go to statuspage.me/login, click Sign in with company SSO, and sign in with your work email.”
What Your Team Sees
First-time login
When a new team member authenticates via OIDC SSO for the first time, a StatusPage.me account is automatically created using their corporate identity. They are taken directly to the dashboard.
Next step: Invite them to your team. Go to Teams → select your team → Invite Members. Team management is covered in Teams.
Returning users
Returning users click Sign in with company SSO on the login page and enter their work email. StatusPage.me routes them to your IdP and they’re signed in immediately.
Profile and connections
After logging in via OIDC SSO, the OIDC identity appears on the user’s Connections page alongside any other linked OAuth providers (Google, GitHub).
Managing Configurations
You can manage your OIDC SSO configurations from Account Settings → SSO Settings:
- Edit — Change display name, issuer URL, client credentials, or allowed domains
- Enable / Disable — Temporarily suspend SSO for a provider without deleting it
- Delete — Remove a configuration permanently
- Multiple providers — Configure different IdPs for different email domains (e.g. one for
@acme.comand another for@acme-eu.com)
If you leave the Client Secret field blank when editing, the existing secret is preserved.
Availability
OIDC SSO availability depends on your plan. Visit the pricing page to check which plans include OIDC Single Sign-On.
Troubleshooting
“No SSO configuration found for your domain”
The email domain you entered doesn’t match any of your configured allowed domains. Ensure the domain is listed in the Allowed Email Domains field of your OIDC configuration.
“Failed to connect to identity provider”
The platform couldn’t reach your IdP’s discovery document at {issuer}/.well-known/openid-configuration. Check that:
- The Issuer URL is correct and publicly accessible
- Your IdP is running and reachable
Redirect URI mismatch
Your IdP rejected the authentication because the redirect URI doesn’t match. Ensure the redirect URI in your IdP application is set to:
https://statuspage.me/oauth/oidc-tenant/callback
“Issuer mismatch” or “Audience mismatch”
- The Issuer URL in your configuration must match the
issclaim in the ID token exactly - The Client ID must appear in the
audclaim of the ID token
“OAuth state is invalid or expired”
The sign-in flow took too long or the browser state was lost. Ask the user to try again from the login page.
“Email address is required but not provided”
Your IdP is not configured to release the email claim. OIDC SSO requires the email scope and claim. Check your IdP application’s scope and claim configuration.
OIDC SSO vs. Other Authentication Methods
| OIDC SSO (this article) | SAML SSO | Google / GitHub OAuth | Private Page OIDC | |
|---|---|---|---|---|
| Protects | Dashboard login | Dashboard login | Dashboard login | Status page viewing |
| Users | Your internal team | Your internal team | Any individual | Your customers / employees |
| Protocol | OIDC (self-service) | SAML 2.0 (concierge) | OAuth 2.0 | OIDC |
| Setup | Configure in SSO Settings | Contact support | Click “Sign in with Google/GitHub” | Status Page Settings → Access |
| Account creation | Automatic on first login | Automatic on first login | Automatic on first login | N/A (viewing only) |
| Domain restriction | Configurable per provider | Configurable | Per-user | Per status page |
Related
- SAML SSO — enterprise concierge SSO
- Teams — manage roles and permissions for team members
- Connections — link OAuth providers to your account
- Private Status Pages — restrict who can view your status page
- OIDC for Private Pages — OIDC authentication for private status page visitors
- Google Workspace for Private Pages — Google OIDC for private pages