WorkTracker › Features › Per-company SSO
Your identity provider, your sign-in page
Every company connects its own OpenID Connect provider and gets a branded sign-in page — no directory syncing, no extra passwords, no customer lists.
Any OpenID Connect provider — configured by you, in the UI
Company admins add their identity provider under Users → Single sign-on: issuer, client id, client secret — done. Keycloak, Microsoft Entra ID, Nextcloud, Authentik, or any compliant OIDC provider. Several providers can live side by side, and the client secret is stored encrypted (AES-256-GCM).
A sign-in page that looks like yours
Each company gets its own sign-in link — /login/your-company — showing the company name and exactly its SSO buttons. Share the link with the team and sign-in is one click at your own identity provider.
The generic login page stays a plain email + password form: companies are deliberately never listed or enumerable, so customers never see each other.
Invite-gated, always
SSO never silently creates accounts. People join through invites; a successful SSO sign-in links to an existing account by verified email first, then by the provider identity — so a changed email address doesn’t lock anyone out, and an unknown identity gets a clear “ask your admin for an invite” instead of a ghost account.
Google sign-in out of the box
Alongside company OIDC, Google sign-in works out of the box (domain-restrictable), and password sign-in with reset-by-email is always available as a fallback.
Try WorkTracker free for 7 days
Connect your tools and see your whole workday collected and summarized. No card required.
Create your company