ITCMWorkTracker

WorkTrackerFeatures › Per-company SSO

Your identity provider, your sign-in page

Every company connects its own OpenID Connect provider and gets a branded sign-in page — no directory syncing, no extra passwords, no customer lists.

Any OpenID Connect provider — configured by you, in the UI

Company admins add their identity provider under Users → Single sign-on: issuer, client id, client secret — done. Keycloak, Microsoft Entra ID, Nextcloud, Authentik, or any compliant OIDC provider. Several providers can live side by side, and the client secret is stored encrypted (AES-256-GCM).

A sign-in page that looks like yours

Each company gets its own sign-in link — /login/your-company — showing the company name and exactly its SSO buttons. Share the link with the team and sign-in is one click at your own identity provider.

The generic login page stays a plain email + password form: companies are deliberately never listed or enumerable, so customers never see each other.

Invite-gated, always

SSO never silently creates accounts. People join through invites; a successful SSO sign-in links to an existing account by verified email first, then by the provider identity — so a changed email address doesn’t lock anyone out, and an unknown identity gets a clear “ask your admin for an invite” instead of a ghost account.

Google sign-in out of the box

Alongside company OIDC, Google sign-in works out of the box (domain-restrictable), and password sign-in with reset-by-email is always available as a fallback.

Try WorkTracker free for 7 days

Connect your tools and see your whole workday collected and summarized. No card required.

Create your company