Passwords are a liability. Every standalone login your team creates is one more credential to leak, reuse, or forget. Wire OpenFrame up to the identity provider you already run — Google Workspace or Microsoft 365 — and your team signs in with the accounts they already have, with your existing MFA and offboarding in place.
Do this early. The sooner SSO is on, the fewer one-off passwords ever get created.
Before you start
- You need an Admin role in OpenFrame.
- Decide which path you want (both are covered below):
- Shared SSO — the fast path. Let anyone on your email domain sign in through OpenFrame's shared Google/Microsoft apps. No OAuth app to create.
- Your own OAuth app — the controlled path. You register OpenFrame in your own Google or Microsoft tenant and paste in the credentials. More setup, more control.
- For the OAuth-app path, you'll need access to your Google Cloud Console or Microsoft Entra (Azure AD) admin to create an app and copy a Client ID and Client Secret.
Where to find it
Left nav → Settings → SSO Configuration. You'll land on the SSO Configurations page, which has two parts: a shared-SSO banner at the top, and a provider table (Google SSO and Microsoft SSO) below.
Option A — Shared SSO (the fast path)
At the top of the page there's a panel: OpenFrame Google & Microsoft SSO. It lets any account on your email domain sign in through OpenFrame's shared Google or Microsoft providers — no OAuth app required on your end.
- Find the Auto-provision accounts from
<yourdomain>checkbox on the right of that panel. - Tick it. From now on, anyone with an email on your domain (e.g.
@yourmsp.com) can sign in via Google or Microsoft, and OpenFrame creates their account automatically on first sign-in.
That's it. The trade-off: auto-provisioning means anyone on your domain can get in. If you want to control exactly who has access, use Option B instead (or leave auto-provision off and invite people manually — see Invite Your Team to OpenFrame).
Heads up: auto-provisioned users land with a default role. Review new accounts under Employees & Permissions so nobody sits with more access than they need.
Option B — Bring your own OAuth app (the controlled path)
This is the route most established MSPs want: OpenFrame authenticates against an app you own in Google or Microsoft, so you control the client, the secret, and which domains are allowed.
In the provider table, find Google SSO or Microsoft SSO and click Edit. The Edit SSO Configuration dialog has everything you need:
1. Copy the redirect URL into your IdP
At the top you'll see Authorized redirect URL for your SSO provider settings with a copy button. Copy it.
Over in your identity provider — Google Cloud Console (OAuth client) or Microsoft Entra (app registration) — create an OAuth app and paste this exact URL into its authorized redirect / callback field.
This is the #1 thing people get wrong. The callback URL has to match exactly. One trailing slash off and sign-in fails with an opaque error. Copy-paste it; don't type it.
2. Paste in your credentials
Back in OpenFrame, fill in:
- OAuth Client ID — from the app you just created
- Client Secret — also from that app (use the eye icon to confirm you pasted it correctly)
Enter these yourself — they're sensitive, so don't share your screen while you do it, and never hand a Client Secret to anyone who doesn't need it.
3. Set your domain allowlist
On the right, under Domain Allowlist, you can turn on Auto-provision accounts from domain — automatically create accounts for people signing in through this provider. Leave it off if you'd rather invite people one by one and keep a tight guest list.
4. Save and enable
Click Save & Enable. The provider's Status flips from Inactive to Active, and its Configuration column shows Configured. Test it by signing in with an SSO account (an incognito window is the easy way).
Reading the provider table
Each row tells you the state at a glance:
- Status — Active means people can log in with it right now; Inactive means it's off.
- Allowed Domains — which email domains this provider accepts (None until you set one).
- Configuration — Configured means credentials are saved; Not configured means it's still empty.
You can run Google and Microsoft side by side — handy if part of your team is on Workspace and part on 365.
Quick checklist
- Decided between shared SSO and your own OAuth app
- (Shared) Enabled auto-provision for your domain, or
- (Own app) Pasted the redirect URL into your IdP exactly, added Client ID + Secret, set the allowlist, hit Save & Enable
- Confirmed the provider shows Active
- Test-signed-in with an SSO account in a fresh browser session
- Reviewed auto-provisioned accounts under Employees & Permissions
What's next
With SSO live, bring your team on board — head to Invite Your Team to OpenFrame to add people and set their roles. Then you're done with Phase 1 and ready to start deploying devices.
Based on OpenFrame v0.9.19. Screens and defaults may shift between releases — when in doubt, what's in your console wins.
