How it works
When SSO is configured, the sign-in page redirects to your IdP. Passport exchanges the authorization code for tokens, then validates the ID token cryptographically: the signature against your IdP’s JWKS, plus the issuer, audience, and a per-attempt nonce. The email address is taken from the verified token (falling back to the userinfo endpoint only if the token omits it), and it must be a verified email. This is what proves your IdP actually vouched for the identity rather than trusting an unsigned response.Passport does not hard-fail when the IdP omits the
email_verified claim entirely (Microsoft Entra and some Okta or Google configurations do). Because your admin configured that exact issuer and the ID token is already cryptographically validated, an absent claim is trusted. An explicit email_verified: false is still rejected.What you need
Issuer URL
Your IdP’s issuer, for example
https://your-org.okta.com. Passport reads its discovery document at /.well-known/openid-configuration.Client ID and secret
From a web application (confidential client) you register in your IdP.
Redirect URI
https://<your-passport-host>/auth/callbackopenid email profile.
Configure SSO in Passport
Register an application in your IdP
Create a web application (confidential client) with the redirect URI
https://<your-passport-host>/auth/callback. Note the client ID and client secret.Enter the details in Settings
In Passport, open Settings and set the issuer URL, client ID, and client secret. The secret is encrypted at rest. Save.
When a workspace uses its own configured IdP, the IdP vouching for a person is treated as proof they belong to the company, so they auto-join. If the workspace has no admin yet, the first person to sign in through its own IdP becomes the admin.
Okta walkthrough
Create the app integration
In the Okta Admin Console, go to Applications, then Create App Integration. Choose OIDC - OpenID Connect and Web Application.
Copy the credentials
From the app’s General tab, copy the Client ID and Client secret. Your issuer is your Okta org URL, for example
https://your-org.okta.com.Microsoft Entra ID walkthrough
Register an application
In the Microsoft Entra admin center, go to App registrations, then New registration.
Create a client secret
Under Certificates and secrets, create a new client secret and copy its value.
Find your issuer
Your issuer is
https://login.microsoftonline.com/<tenant-id>/v2.0. Use the tenant ID from the app’s Overview page.Entra typically omits
email_verified. Passport handles this correctly, as described above, so Entra sign-in works without extra configuration.