Single Sign-On (SSO)

Unthread supports Single Sign-On (SSO) to allow your team to log in using your existing identity provider (Google, Okta, Microsoft Entra ID, etc.).

We support two protocols:

• OIDC (OpenID Connect): Strongly Recommended. It is more secure, easier to set up, and modern.

• SAML 2.0: Supported for legacy requirements.

⚡️ Configuration Cheat Sheet

Regardless of which provider you use, you will need these values during setup.

Callback / Redirect / ACS URL:
https://{tenant-name}.unthread.io/__/auth/handler

Entity ID / Audience URI:
unthread

🔵 Google Workspace

Method A: OIDC (Recommended)

1. Go to the Google Cloud Console (console.cloud.google.com).

2. Create a New Project (e.g., "Internal-SSO").

   • Tip: Use a new project rather than an existing external one to ensure proper internal security controls.

3. Configure Consent Screen:

   • Navigate to APIs & Services > OAuth consent screen.

   • Select Internal (This ensures only your employees can login).

   • Fill in the App Name ("Unthread") and User Support Email.

   • Click Save.

4. Create Credentials:

   • Navigate to APIs & Services > Credentials.

   • Click + CREATE CREDENTIALS > OAuth client ID.

   • Application type: Select Web application.

   • Authorized redirect URI: Paste the Callback URL from the Cheat Sheet above.

   • Click Create.

5. Send to Unthread:

   • Client ID

   • Client Secret

Method B: SAML (Legacy)

1. Go to the Google Admin Console (admin.google.com).

2. Navigate to Apps > Web and mobile apps.

3. Click Add App > Add custom SAML app.

4. Google IdP Details: Click Download Metadata (you will send this file to us). Click Continue.

5. Service Provider Details:

   • ACS URL: Paste the Callback URL from the Cheat Sheet above.

   • Entity ID: Paste the Entity ID (unthread).

   • Name ID: Select Basic Information > Primary Email.

   • Name ID Format: EMAIL (or UNSPECIFIED).

6. Attribute Mapping: Map Primary Email to email, First Name to firstName, and Last Name to lastName.

7. Enable App: By default, the app is OFF. Click on the app > User access > turn ON for everyone.

⚫ Okta

Method A: OIDC (Recommended)

1. Log in to your Okta Admin Console.

2. Go to Applications > Applications.

3. Click Create App Integration.

4. Select OIDC - OpenID Connect as the Sign-in method.

5. Select Web Application as the Application type. Click Next.

6. General Settings:

   • App integration name: Unthread.

   • Sign-in redirect URIs: Paste the Callback URL from the Cheat Sheet above.

   • Assignments: Select "Allow everyone in your organization to access" (or assign specific groups).

   • Click Save.

7. Send to Unthread:

   • Client ID (Found on the General tab).

   • Client Secret (Found on the General tab).

   • Okta Domain / Issuer: Usually https://{your-org}.okta.com.

Method B: SAML (Legacy)

1. Log in to your Okta Admin Console.

2. Go to Applications > Applications.

3. Click Create App Integration.

4. Select SAML 2.0. Click Next.

5. General Settings: Name the app "Unthread". Click Next.

6. Configure SAML:

   • Single sign on URL: Paste the Callback URL from the Cheat Sheet above.

   • Audience URI (SP Entity ID): Paste the Entity ID (unthread).

   • Name ID format: EmailAddress.

   • Application username: Email.

7. Attribute Statements:

   • Name: email | Value: user.email

   • Name: firstName | Value: user.firstName

   • Name: lastName | Value: user.lastName

8. Click Next and Finish.

9. Send to Unthread:

   • Go to the Sign On tab of your new app.

   • Click Identity Provider metadata (blue link) to download the XML file. Send us this file.

🟦 Microsoft Entra ID (Azure AD)

Method A: OIDC (Recommended)

1. Log in to the Microsoft Entra admin center (entra.microsoft.com).

2. Go to Identity > Applications > App registrations.

3. Click New registration.

4. Register an application:

   • Name: Unthread.

   • Supported account types: Single tenant (Accounts in this organizational directory only).

   • Redirect URI (Platform): Select Web.

   • Redirect URI (URL): Paste the Callback URL from the Cheat Sheet above.

   • Click Register.

5. Create Secret:

   • In the sidebar, click Certificates & secrets.

   • Click New client secret. Give it a description and expiry. Click Add.

   • Important: Copy the Value immediately (you won't see it again).

6. Send to Unthread:

   • Application (client) ID (Found on the Overview page).

   • Directory (tenant) ID (Found on the Overview page).

   • Client Secret Value (The string you just copied).

Method B: SAML (Legacy)

1. Log in to the Microsoft Entra admin center (entra.microsoft.com).

2. Go to Identity > Applications > Enterprise applications.

3. Click New application > Create your own application.

4. Name it "Unthread" and select Integrate any other application you don't find in the gallery (Non-gallery). Click Create.

5. In the sidebar, select Single sign-on > SAML.

6. Basic SAML Configuration (Edit):

   • Identifier (Entity ID): Paste the Entity ID (unthread).

   • Reply URL (Assertion Consumer Service URL): Paste the Callback URL from the Cheat Sheet above.

   • Click Save.

7. Attributes & Claims (Edit):

   • Ensure Unique User Identifier is mapped to user.userprincipalname or user.mail.

8. Send to Unthread:

   • Under SAML Certificates, find Federation Metadata XML.

   • Click Download. Send us this file.

📨 Final Step: Sending Information

Once you have completed the setup in your provider, please securely send the required credentials (Client IDs/Secrets for OIDC, or Metadata XML for SAML) to your Unthread representative or support team.

We will enable the SSO connection on your account and notify you when it is ready for testing.