Single Sign-On (SSO)

Table of Contents

  • Overview

  • How SSO login works

  • Prerequisites

  • Supported identity providers

  • What you'll exchange with Ghost Inspector

  • Setting up SSO

  • Enabling SSO for your organization

  • Managing members

  • Disabling SSO

  • Troubleshooting

  • Related

Overview

Single sign-on (SSO) lets your team access Ghost Inspector using the same identity provider (IdP) they already use for the rest of your tools — such as Okta, Microsoft Entra ID (Azure AD), or Google Workspace. Instead of maintaining a separate Ghost Inspector password, members authenticate through your IdP, and access is governed by the groups and policies you already manage there.

SSO is available on enterprise plans. Once it is enabled for your organization, members who belong to your verified email domains are signed in through your IdP, and new members are created automatically the first time they log in.

SSO is configured at the organization level and applies to everyone who logs in with an email address on one of your verified domains. To enable it, contact your Ghost Inspector account representative or support.

How SSO login works

Ghost Inspector uses an email-first (identifier-first) login flow:

  1. A member goes to the Ghost Inspector login page and enters their work email address.
  2. If the email's domain is associated with an organization that has SSO enabled, Ghost Inspector redirects the member to your identity provider.
  3. The member authenticates with your IdP (including any multi-factor authentication you require).
  4. Your IdP returns the member to Ghost Inspector, signed in.

Because the domain determines the destination, members never need to pick a "company" or remember a special URL — they simply enter their email and continue.

Ghost Inspector email-first login

Prerequisites

Before you set up SSO, make sure you have:

  • An enterprise plan with SSO enabled for your organization (contact your account representative).
  • Administrator access to your identity provider (Okta, Microsoft Entra ID, Google Workspace, or any SAML 2.0 IdP).
  • One or more email domains that your members use (for example, yourcompany.com). These domains must be verified before SSO can be activated.
  • The list of users or groups in your IdP that should have access to Ghost Inspector.

Supported identity providers

Ghost Inspector supports any identity provider that speaks SAML 2.0, including:

  • Okta
  • Microsoft Entra ID (formerly Azure Active Directory)
  • Google Workspace
  • OneLogin, PingIdentity, JumpCloud, and other SAML-compatible providers

If your provider supports SAML 2.0, it will work with Ghost Inspector even if it is not named above.

What you'll exchange with Ghost Inspector

Setting up a SAML connection is a two-way exchange of metadata between your IdP and Ghost Inspector.

Ghost Inspector provides you with:

  • A Sign-in (ACS) URL — where your IdP sends the authentication response.
  • An Entity ID / Audience URI — the identifier your IdP uses for the Ghost Inspector application.

You provide Ghost Inspector with:

  • Your IdP's Sign-in URL (the SSO/SAML endpoint).
  • Your IdP's signing certificate (X.509).
  • Confirmation of the attributes your IdP will send (at minimum, the user's email address; name attributes are recommended).

Your account representative will share the exact values for your connection and collect your IdP details. The sections below describe how to gather those details in common providers.

Map your IdP's email attribute to the SAML NameID (or an email attribute) so it matches the address members use to log in. The email is how Ghost Inspector associates an SSO login with the right member.

Setting up SSO

The high-level process is the same for every provider:

  1. Create a new SAML application in your IdP.
  2. Enter the Sign-in (ACS) URL and Entity ID that Ghost Inspector provided.
  3. Configure the attribute mapping so the user's email is sent in the assertion.
  4. Assign the users or groups who should have access.
  5. Send your IdP's Sign-in URL and signing certificate back to Ghost Inspector.

Okta

  1. In the Okta Admin Console, go to Applications → Applications → Create App Integration.
  2. Choose SAML 2.0 and click Next.
  3. Give the app a name (for example, "Ghost Inspector") and continue.
  4. For Single sign-on URL, enter the Sign-in (ACS) URL from Ghost Inspector.
  5. For Audience URI (SP Entity ID), enter the Entity ID from Ghost Inspector.
  6. Under Attribute Statements, add an attribute that sends the user's email (for example, name email, value user.email).
  7. Finish the wizard, then open the Sign On tab and view the SAML setup instructions to copy your Identity Provider Sign-On URL and X.509 Certificate.
  8. Assign the appropriate people or groups under the Assignments tab.
  9. Send the Sign-On URL and certificate to Ghost Inspector.

Microsoft Entra ID (Azure AD)

  1. In the Microsoft Entra admin center, go to Enterprise applications → New application → Create your own application.
  2. Choose Integrate any other application you don't find in the gallery and create it.
  3. Open Single sign-on and select SAML.
  4. Under Basic SAML Configuration, set the Identifier (Entity ID) and Reply URL (ACS URL) to the values from Ghost Inspector.
  5. Under Attributes & Claims, confirm that the user's email address is sent (and map name claims if desired).
  6. In SAML Certificates, download the Certificate (Base64) and copy the Login URL from the setup section.
  7. Assign users and groups under Users and groups.
  8. Send the Login URL and certificate to Ghost Inspector.

Google Workspace

  1. In the Google Admin console, go to Apps → Web and mobile apps → Add app → Add custom SAML app.
  2. Name the app (for example, "Ghost Inspector") and continue.
  3. On the Google Identity Provider details screen, copy the SSO URL and download the Certificate.
  4. For ACS URL and Entity ID, enter the values from Ghost Inspector.
  5. Under Attribute mapping, map Primary email to an email attribute in the assertion.
  6. Turn the app ON for the organizational units or groups that should have access.
  7. Send the SSO URL and certificate to Ghost Inspector.

Enabling SSO for your organization

Once your connection has been built and tested with Ghost Inspector, SSO is activated for your organization. From that point on:

  • Members logging in with an email on a verified domain are redirected to your IdP automatically.
  • Just-in-time provisioning: the first time a member logs in through SSO, a Ghost Inspector account is created for them automatically and added to your organization — there is no need to invite them individually. (To provision and deprovision members in advance, see SCIM provisioning.)
  • For members who sign in through SSO, the personal email and password fields are managed by your identity provider and are hidden in Ghost Inspector account settings.
You can verify more than one email domain for a single organization. This is useful if your company uses multiple domains (for example, after an acquisition or rebrand). Members on any verified domain are routed to your IdP.

Managing members

With SSO enabled, your identity provider is the source of truth for who can access Ghost Inspector:

  • Granting access — assign a user to the Ghost Inspector application in your IdP. They can log in immediately, and their account is created on first login.
  • Removing access — unassign the user in your IdP. Organization administrators can also remove a member directly from the organization's Members page in Ghost Inspector.
  • API keys — for security, a member's personal API key is regenerated when their access changes. If you rely on a personal API key for automation, confirm it after any access change.

For automatic, real-time provisioning and deprovisioning driven by your IdP, use SCIM provisioning alongside SSO.

Disabling SSO

To disable SSO for your organization, contact your Ghost Inspector account representative or support. When SSO is disabled, members return to logging in with an email address and password and will need to set or reset a password to regain access.

Troubleshooting

  • "We couldn't sign you in" after the IdP redirect — confirm that the email attribute sent by your IdP matches the address the member is using to log in. A mismatch between the IdP email and the Ghost Inspector member email is the most common cause.
  • Member isn't redirected to the IdP — verify that the member's email domain is one of your organization's verified domains. Logins on unverified domains follow the standard email/password flow.
  • Certificate or signature errors — your IdP's signing certificate may have rotated. Send the updated certificate to Ghost Inspector so the connection can be refreshed.
  • New member can't be found — make sure the user is assigned to the Ghost Inspector application in your IdP. Unassigned users are not permitted to authenticate.

If problems persist, contact support with the approximate time of the failed login and the email address involved.