Single sign-on


SSO Authentication is only available for Enterprise plans. Please reach out to [email protected] if you're interested in upgrading.

Castle allows your users to sign in through your Identity Provider.


In order to set up SSO to Castle, you must have an Identity Provider that supports OpenID. Most popular IdPs, including Okta, supports this standard. Connect configurations and you must be an admin for your organization in the Castle dashboard.


  1. Sign in to Castle .
  2. Click on your email address at the top right of the screen.
  3. Select Team from the dropdown menu.
  4. Click on Authentication in the sub navigation menu at the top of the screen.
  5. Turn on SSO Enabled.
  6. Enter your Client ID, Client Secret, and Identity Provider URL into the form. These fields are all provided by your Identity Provider.
  7. The following fields in the form depend on what you set the Auto Create Users value to. When Auto Create Users is true , users in your Identity Provider will automatically be provisioned a Castle account when signing in through SSO. When Auto Create Users is false , a user from your Identity Provider can only sign in through SSO if they already have an existing Castle account (a new team member can be invited from the Team page if that particular user has no Castle account).
    1. If you decide to have Auto Create Users set to false , you can leave the Default User Role and Email Domains fields as is and click Save as these two fields will not be used.
    2. If you have Auto Create Users set to true, you must select whether you want the Default User Role for newly provisioned castle users to be an Admin role or a User role. Then enter the email domains that your users will be signing in with from your Identity Provider. If you have multiple email domains, separate each domain with a comma.
  8. After saving the SSO configuration, your redirect URL will appear on the right, in the format of<id>. Copy this redirect URL and paste this into your Identity Provider settings for the Sign In Redirect URL value. The Sign Out Redirect URL value can be set to in your Identity Provider.
  9. Now users for your organization will be able to sign in to Castle through your Identity Provider.
  10. Sign in with SSO or click on the Sign in with SSO link on the main login page.


Password access while SSO is enabled

Password access while SSO is enabled is automatically granted to those that edit the SSO configuration. If you need to disable password access while SSO is enabled, an admin in your organization needs to disable this here. You will not be able to edit your own user settings, so a different user with the admin role in your organization will need to disable your password access.