> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mention-me.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SSO) Setup

> How to configure SSO for your Mention Me account using Google, Okta, Auth0, or Microsoft Entra.

You can integrate SSO with Mention Me to allow employees to log in using their existing identity provider. This removes the need for passwords and lets you manage authentication centrally.

Account provisioning and role assignment are still managed within Mention Me. Once SSO is enabled, email/password login is disabled for users under the configured domain(s).

<Warning>Only configure domains your organisation controls. Improper configuration may expose your platform to unauthorised users.</Warning>

<Tabs>
  <Tab title="Google">
    ## Prerequisites

    * A [Google Workspace](https://gsuite.google.com/) account
    * A verified domain linked to your Google Workspace
    * Users with email addresses matching this domain

    ## Google setup

    <Steps>
      <Step title="Create a new project">
        Go to the [Google Cloud Platform Console](https://console.cloud.google.com/) and create a new project.
      </Step>

      <Step title="Create OAuth credentials">
        Go to **APIs & Services > Credentials** and click **Create Credentials** > **OAuth client ID**.
      </Step>

      <Step title="Configure the consent screen">
        Configure the [OAuth consent screen](https://support.google.com/cloud/answer/6158849?hl=en). Mention Me only requires default scopes and an entry for `mention-me.com`. Save the consent screen settings.
      </Step>

      <Step title="Set up the web application">
        Select **Web application** as the application type and provide a name for the OAuth client ID.

        Set **Authorized JavaScript origins**: `https://mention-me.com`

        Set **Authorized redirect URI**: `https://mention-me.com/oauth/google/client/redirect/xxxx` (replace `xxxx` with your account identifier)
      </Step>

      <Step title="Generate credentials">
        Click **Create** to generate your client ID and secret. Copy the client ID and secret for Mention Me configuration.
      </Step>
    </Steps>

    ## Mention Me setup

    <Steps>
      <Step title="Open SSO configuration">
        Log in as an administrator and visit the [SSO configuration](https://mention-me.com/merchant/~/settings/security-and-data#sso-authentication) page ([Demo link](https://demo.mention-me.com/merchant/~/settings/security-and-data#sso-authentication)).
      </Step>

      <Step title="Configure Google SSO">
        Choose **Google** as the SSO provider and enter your **Client ID**, **Client Secret**, and **Domain**.
      </Step>
    </Steps>

    Once saved, email/password login is disabled for all users under the configured domain.

    ## Default permissions

    * **Demo platform**: Marketing access
    * **Live platform**: Customer Service access

    Toggle this via a checkbox on the SSO setup page. Admins can adjust user permissions manually afterward.

    ## Tips

    * Users can revoke access via Google Workspace: **Google Account > Security > Account Permissions > Mention Me > Revoke Access**. This prompts the consent screen again on next login.

    ## Disabling Google Auth

    If you disable OAuth after enabling it, users can log in again with email/password. New users created during SSO usage will not have a password -- a password reset must be triggered for them to regain access.
  </Tab>

  <Tab title="Okta">
    ## Prerequisites

    * An active [Okta](https://okta.com/) account
    * At least one domain managed under your Okta account
    * Users with emails associated with your Okta-managed domain

    ## Okta setup

    See Okta's [official guide](https://developer.okta.com/docs/guides/implement-oauth-for-okta/create-oauth-app/) for reference.

    <Steps>
      <Step title="Create an App Integration">
        Log in to the Okta Admin Console and create a new App Integration. Select **OIDC - OpenID Connect** and **Web Application**.
      </Step>

      <Step title="Configure the application">
        Name the app (e.g. "Mention Me"), choose assignment settings, and save. Ensure default scopes (name and email) are selected.
      </Step>

      <Step title="Set the redirect URI">
        In **Sign-in redirect URIs**, enter: `https://mention-me.com/oauth/client/redirect/xxxx` (replace `xxxx` with your Merchant ID).
      </Step>

      <Step title="Save and copy credentials">
        Click **Save** and copy the **Client ID**, **Client Secret**, and **Okta Domain**.
      </Step>
    </Steps>

    If you use both Live and Demo platforms, add two redirect URIs:

    * Live: `https://mention-me.com/oauth/client/redirect/xxxx`
    * Demo: `https://demo.mention-me.com/oauth/client/redirect/yyyy`

    You can use the same Client ID, Client Secret, and Issuer URI for both.

    ## Mention Me setup

    <Steps>
      <Step title="Open SSO configuration">
        Log in as an admin and go to the [SSO Configuration page](https://mention-me.com/merchant/~/settings/security-and-data#sso-authentication) ([Demo link](https://demo.mention-me.com/merchant/~/settings/security-and-data#sso-authentication)).
      </Step>

      <Step title="Configure Okta SSO">
        Select **Okta** from the SSO options and enter your **Client ID**, **Client Secret**, **Domains**, and **Issuer URI** (e.g. `https://yourdomain.okta.com/oauth2`).
      </Step>
    </Steps>

    Once saved, email/password login is disabled for the configured domains.

    ## Default permissions

    * **Demo platform**: Marketing access
    * **Live platform**: Customer Service access

    Enable via a checkbox in the Okta setup. Admins can adjust roles manually afterward.

    ## Disabling Okta

    Users can switch back to email/password login. Users created during SSO usage will not have passwords -- a password reset is required.
  </Tab>

  <Tab title="Auth0">
    ## Prerequisites

    * An Auth0 account for your organisation
    * At least one domain registered and controlled within Auth0
    * Users whose email addresses are within that domain

    ## Auth0 setup

    Refer to the [Auth0 guide](https://auth0.com/docs/authenticate/single-sign-on/inbound-single-sign-on) for detailed instructions.

    <Steps>
      <Step title="Create a new application">
        Go to the Auth0 Admin Console and create a new application. Select **Regular Web App**, name it (e.g. "Mention Me"), and click **Create**.
      </Step>

      <Step title="Configure scopes and access">
        Accept default options for access and ensure default scopes (name, email) are enabled.
      </Step>

      <Step title="Set the redirect URI">
        In **Sign-in redirect URIs**, enter: `https://mention-me.com/oauth/client/redirect/xxxx` (replace `xxxx` with your Merchant ID).
      </Step>

      <Step title="Save and copy credentials">
        Click **Save** and copy the **Client ID**, **Client Secret**, and **Account name or Custom Domain**.
      </Step>
    </Steps>

    If you use both Live and Demo platforms, add separate redirect URIs:

    * Live: `https://mention-me.com/oauth/client/redirect/xxxx`
    * Demo: `https://demo.mention-me.com/oauth/client/redirect/yyyy`

    You can reuse the same Client ID, Client Secret, and Custom Domain across environments.

    ## Mention Me setup

    <Steps>
      <Step title="Open SSO configuration">
        Log in as an administrator and visit [SSO configuration](https://mention-me.com/merchant/~/settings/security-and-data#sso-authentication) ([Demo link](https://demo.mention-me.com/merchant/~/settings/security-and-data#sso-authentication)).
      </Step>

      <Step title="Configure Auth0 SSO">
        Select **Auth0** from the provider dropdown and enter your **Client ID**, **Client Secret**, **Domains**, and **Account name or Custom Domain** (e.g. `auth.yourdomain.com`).
      </Step>
    </Steps>

    Once saved, email/password login is disabled for users from the configured domain(s). Users will not be logged out immediately but must use the new login method from their next session.

    ## Default permissions

    * **Demo**: Marketing permissions
    * **Live**: Customer Service permissions

    Enable via a checkbox in the Auth0 SSO setup page. Admins can adjust roles after signup.

    ## Disabling Auth0

    Users can return to email login. Users created during SSO usage will not have passwords -- a password reset is required.
  </Tab>

  <Tab title="Microsoft Entra">
    ## Prerequisites

    * An active Microsoft Entra (formerly Azure AD) account
    * At least one domain registered and managed by your organisation
    * Users with email addresses under your verified domain(s)

    ## Entra setup

    <Steps>
      <Step title="Create a new application">
        Log in to the Microsoft Entra (Azure) Admin Console and create a new Application (typically as a Regular Web App). Name the application (e.g. "Mention Me").
      </Step>

      <Step title="Configure permissions">
        Assign access and save with default permissions. Only default scopes (email and name) are required.
      </Step>

      <Step title="Set the redirect URI">
        Add the Sign-in Redirect URI: `https://mention-me.com/oauth/client/redirect/xxxx` (replace `xxxx` with your Merchant ID).
      </Step>

      <Step title="Save and copy credentials">
        Click **Save** and copy your **Client ID** and **Client Secret**.
      </Step>
    </Steps>

    Add separate redirect URIs for Live and Demo:

    * Live: `https://mention-me.com/oauth/client/redirect/xxxx`
    * Demo: `https://demo.mention-me.com/oauth/client/redirect/yyyy`

    You can reuse the same Client ID and Client Secret for both platforms.

    ## Mention Me setup

    <Steps>
      <Step title="Open SSO configuration">
        Log in as an admin and go to [SSO configuration](https://mention-me.com/merchant/~/settings/security-and-data#sso-authentication) ([Demo link](https://demo.mention-me.com/merchant/~/settings/security-and-data#sso-authentication)).
      </Step>

      <Step title="Configure Entra SSO">
        Select **Microsoft Entra** from the SSO options dropdown and enter your **Client ID**, **Client Secret**, and **Domains**.

        Your Entra login URL may look like: `https://login.microsoftonline.com/[tenant_id]/v2.0`
      </Step>
    </Steps>

    Once saved, all users must use Entra for login. Email/password access is disabled for the configured domains. Users will not be logged out immediately but will be redirected through Entra on next login.

    ## Default permissions

    * **Demo**: Marketing role
    * **Live**: Customer Service role

    Enable via a checkbox in the SSO setup interface. Admins can adjust roles manually post-login.

    ## Disabling Entra

    Users revert to email/password logins. Users created during SSO will not have passwords -- a password reset (or admin-triggered reset) is required.
  </Tab>
</Tabs>