> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mogenius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On

> Configure SSO for your mogenius organization using Microsoft Entra ID or GitLab

# Single Sign-On

mogenius supports Single Sign-On (SSO) through OpenID Connect (OIDC), allowing team members to authenticate using their existing identity provider accounts. Once configured, your organization receives a unique login page that can be shared with your team.

## Supported Providers

* **Microsoft Entra ID** (formerly Azure Active Directory)
* **GitLab** (including self-hosted instances)

## Microsoft Entra ID

### Prerequisites

* An existing organization using [Microsoft Entra](https://www.microsoft.com/de-de/security/business/microsoft-entra)
* A mogenius organization with administrative permissions. Don't have one yet? Create one [here](https://app.mogenius.com)

### Step 1: Get the Redirect URI from mogenius

1. In your mogenius organization, go to **Settings**.
2. In the **Single sign-on** section, click **Configure**.
3. Copy the **Redirect URI** displayed at the top of the form — you will need this for your Entra app registration.

### Step 2: Create an Entra App Registration

1. Go to [entra.microsoft.com](https://entra.microsoft.com) and sign in with your Microsoft account.
2. Navigate to **Applications > App registrations**.
3. Click **New registration** and fill in the details:
   * **Name**: A recognizable internal name for the app.
   * **Supported account types**: Select *Accounts in this organizational directory only (Single tenant)*.
   * **Redirect URI**: Select "Web" and paste the Redirect URI you copied from mogenius.
4. Click **Register** to create the app.

### Step 3: Create a Client Secret

1. In the overview of your newly registered app, go to **Certificates & secrets > Client secrets**.
2. Click **New client secret** and note the generated value.
3. **Save this value securely** (e.g., in a vault) — you will not be able to view it again later.

### Step 4: Connect Your Entra App with mogenius

1. Back in mogenius, enter the following details from your Entra app:
   * **Client ID** — Found in the app overview as "Application (client) ID"
   * **Tenant ID** — Found in the app overview as "Directory (tenant) ID"
   * **Client Secret** — The value you saved in the previous step
2. Click **Connect** to complete the setup.

### Step 5: Share the Login URL

Your SSO configuration is complete. mogenius displays a **Login URL** for your organization. Share this URL with your team — users who sign in via this link will automatically be added to your mogenius organization.

<Note>
  Removing a user from your Entra organization will also deactivate their access in mogenius automatically.
</Note>

## GitLab

You can use GitLab as an SSO provider for your mogenius organization, including self-hosted GitLab instances.

### Prerequisites

* A GitLab account with permissions to create OIDC applications (at group, user, or instance level)
* A mogenius organization with administrative permissions

<Note>
  For self-hosted GitLab, make sure your instance is reachable on a public HTTPS hostname. mogenius requires discovery URLs that are publicly accessible.
</Note>

### Step 1: Get the Redirect URI from mogenius

1. In your mogenius organization, go to **Settings**.
2. In the **Single sign-on** section, click **Configure** and select **GitLab**.
3. Copy the **Redirect URI** displayed at the top of the form.

### Step 2: Create an OIDC Application in GitLab

1. In GitLab, navigate to your group, user settings, or admin area (depending on where you want to register the app).
2. Go to **Applications** and click **New application**.
3. Fill in the details:
   * **Name**: A recognizable name (e.g., "mogenius SSO")
   * **Redirect URI**: Paste the Redirect URI from mogenius
   * **Confidential**: Enabled
   * **Scopes**: Select `openid`, `email`, and `profile`
4. Click **Save application**.
5. Note the **Application ID** and **Secret** — you will need these for mogenius.

### Step 3: Connect GitLab with mogenius

1. Back in mogenius, enter the following details:
   * **Application ID** — From your GitLab application
   * **Client Secret** — From your GitLab application
   * **Self-hosted**: If using a self-hosted GitLab instance, enable the toggle and enter your GitLab base URL (HTTPS only)
2. Click **Connect** to complete the setup.

### Step 4: Share the Login URL

Your SSO configuration is complete. Share the **Login URL** displayed in mogenius with your team.

## Troubleshooting

**Redirect URI mismatch error**
Ensure the Redirect URI in your identity provider exactly matches the one shown in mogenius, including the protocol (`https://`) and trailing path.

**Discovery failures (self-hosted GitLab)**
Verify that your GitLab instance is reachable from the internet and that `<base-url>/.well-known/openid-configuration` returns a valid JSON document. Self-hosted instances behind a VPN or on a private IP cannot be used.

**Missing email in user profile**
Ensure the `email` scope is included in your OIDC application configuration and that users have a verified email address in their identity provider.