Configure the End User Portal for SSO
Table of Contents
This document explains what Portal Single Sign-On (SSO) is, how to configure it, and what to expect from related settings and system behavior. OIDC SSO is one of several ways End Users can sign into the End User Portal without a separate portal password, alongside the built-in Microsoft and Google sign-in options via public OAuth, covered later in this document. End Users still authenticate through their organization's identity provider, Microsoft, or Google; they just don't need a Portal User password to do it.
SSO in the End User Portal facilitates:
- Seamless invoice payment: An office manager can click an invoice link and land in the portal, already authenticated via their Microsoft 365 session. No password prompt, no MFA step. Faster payment, less friction.
- Frictionless new hire onboarding: A new employee can receive a portal invite and get in using their company credentials on day one. No "set a new password" step, no separate MFA enrollment.
- Secure remote access: A remote worker can access their office PC through the portal. Their company's IdP verifies their identity, satisfying security requirements without any extra Syncro-specific steps.
About SSO for the End User Portal
Single Sign-On (SSO) connects an Organization's OIDC-compliant identity provider (IdP) such as Microsoft Entra ID or Google to the Syncro End User Portal. End Users log in with their existing work credentials. No separate Portal User password is required. Portal SSO is available on all Syncro subscription tiers.
When SSO is enabled, both SSO and standard email/password login appear on the portal login page simultaneously. Some users in an Organization can authenticate via SSO while others use a password, which is useful for Organizations that work with outside contractors who aren't in the primary company directory.

If SSO is disabled after being active, the portal falls back to standard email/password login. Users who have never set a Portal User password can use the “Forgot Password” flow to create one.
For step-by-step instructions, see Configure the End User Portal for SSO.
About the End User Portal Section
The End User Portal section on the Organization Details Page contains a link to the End User Portal, two toggles, and a “Configure SSO” link. Both toggles apply changes immediately when clicked, with no additional save step. This is different from the Identity Provider Configuration pop-up window, which only applies changes when the form is explicitly saved.
The "Enable SSO" Toggle
The "Enable SSO" toggle turns portal SSO on or off. Its behavior depends on the state of the Organization.
- If the New End User Portal is NOT enabled for the Organization, clicking the toggle opens an Enable New End User Portal window from which you can Enable, Learn More, or Cancel. The Enable button is hidden if you do not have permission to enable the New Portal.
- If the New End User Portal is enabled but no complete SSO configuration has been saved, clicking the toggle opens the Identity Provider Configuration pop-up window.
- If the New End User Portal is enabled and a complete SSO configuration has been saved, clicking the toggle turns SSO on or off immediately.
The "Let SSO Logins Bypass MFA" Toggle
The "Let SSO logins bypass MFA" toggle controls whether SSO-authenticated users are prompted for MFA. When enabled, an SSO login counts as a multi-factor authentication event. This means users can also launch Remote Access (Splashtop) sessions without an additional MFA prompt.
How "Enable SSO" Affects Related Settings
When "Enable SSO" is turned on, whether via the checkbox in the Identity Provider Configuration pop-up window or the toggle on the Organization Details page, the "Let SSO logins bypass MFA" toggle becomes enabled and is set to on.
When "Enable SSO" is turned off, the toggle becomes disabled and cannot be changed independently until SSO is re-enabled.
About the “Enable SSO” Checkbox in the Identity Provider Configuration Pop-Up Window
The Identity Provider Configuration pop-up window contains an “Enable SSO” checkbox. This checkbox controls the same setting as the “Enable SSO” toggle on the Organization Details page. It reflects whether SSO is currently active.
While any required field is empty, the checkbox is disabled and unchecked, even if SSO was previously enabled. Once all required fields are populated, the checkbox becomes available.
Public OAuth: Sign In with Microsoft & Google
Sign in with Microsoft and Sign in with Google are built-in login options on the End User Portal. They use Syncro-owned OAuth clients, so you don't need to configure anything per Organization. This is the key difference from OIDC SSO, which requires you to configure a connection for each Organization individually.
You control public OAuth with the Enable Portal Login via OAuth setting under Admin > Customers - Preferences. See End User Portal Settings for defaulting behavior and how to turn it off.
The Microsoft and Google sign-in buttons appear on the login page alongside email and password and magic link options. If you have OIDC SSO configured and enabled for an Organization, the Microsoft and Google buttons are suppressed for that Organization's login page. OIDC takes precedence and you cannot override this.

When an end user signs in with Microsoft or Google, Syncro matches the email from the OAuth token to an existing Portal User record. If a match is found, the user is authenticated. If no match is found, the end user sees a message that no portal account was found and is directed to contact you. No Portal User is created, since auto-provisioning does not apply to public OAuth. See Auto-Provisioning for SSO for what auto-provisioning does cover.
MFA behaves differently by provider. For Google sign-in, Syncro checks the amr claim in the token, a standard field indicating which authentication methods the user completed. If it shows MFA was satisfied at the Google level, Syncro does not prompt for MFA again for that session. If the claim cannot be read or is absent, Syncro enforces its own MFA. For Microsoft sign-in, Syncro always enforces its own MFA regardless of your settings; the amr claim is not reliably available in Microsoft's tokens for this kind of sign-in.
Note: Public OAuth, OIDC SSO, and auto-provisioning all require the New End User Portal. None of them are available on the old portal.
Auto-Provisioning for SSO
Auto-provisioning lets a new End User log into the End User Portal via SSO for the first time and automatically get a Portal User account created for them. You don't need to create or enable that user in advance.
Auto-provisioning is currently available for OIDC SSO only; it is not available for public OAuth (Microsoft or Google sign-in). An End User who signs in via public OAuth with no existing Portal User account sees the no portal account found message and needs to be added manually.
Auto-provisioning only fires when all of the following are true:
- the End User authenticates successfully via OIDC SSO,
- no Portal User account already exists for that email in your account,
- a matching End User record exists for the Organization, and
- you have the auto-provisioning toggle enabled for that Organization.
The toggle defaults to OFF and is separate from the Enable SSO toggle; it lives in the SSO configuration for each Organization:

If any condition is not met, no account is created. If no matching End User and no Portal User exist, the end user sees a message that no portal account was found and is directed to contact you.
When auto-provisioning fires, Syncro creates a Portal User assigned to your system-wide default Portal Permission Group. You can view and manage this user afterward and update the group manually to grant elevated permissions. No new End User record is created.
Because Portal User records are scoped to your account rather than to an individual Organization, auto-provisioning through a second Organization's SSO can behave differently than expected if that End User already has a Portal User record. See Work with Portal Users & Permission Groups for how Portal User scoping works across Organizations.
Configure the End User Portal for SSO
Use this procedure to set up SSO for an Organization's End User Portal by entering IdP credentials and registering Syncro's URLs in your identity provider.
Prerequisites
The New End User Portal must be enabled for the Organization before you can configure SSO. If it isn't enabled, attempting to interact with the SSO controls will show an Enable New End User Portal window. Contact your administrator if the Enable button is not visible, as this means you do not have appropriate permissions. See Set Up Your Syncro Account for more information.
Steps
- In Syncro, navigate to Organizations > [Organization Name] > Organization Details and scroll to the End User Portal section:
- Click “Configure SSO” to open the Identity Provider Configuration pop-up window.
- Copy the Redirect URL and the Logout URL.(The Redirect URL may be called a Callback URL in IdP documentation.)
- In your IdP, register the Redirect URL and Logout URL.
- Retrieve your Client ID, Client Secret, and Discovery URL.
- Back in Syncro, enter the Client ID, Client Secret, and Discovery URL in the fields:

Note: Required fields must have values to enable SSO and to make the Save and Test button available. - (Optional) Check "Enable SSO" to activate SSO immediately. If you want to save your credentials without activating SSO yet, leave it unchecked. See About the “Enable SSO” Checkbox in the Identity Provider Configuration Pop-Up Window.
- Click Save Changes. To save and immediately run a validation test, click Save and Test instead.
Result
Values in the pop-up window are only sent to the backend when the form is saved. The “Enable SSO” toggle on the Organization Details Page will update to match the state of the checkbox (on or off). Closing the pop-up window without saving discards all changes. If SSO is enabled during the save, the "Let SSO logins bypass MFA" toggle becomes enabled and is set to on.
To verify your configuration is working, see Test Your SSO Configuration.
Test Your SSO Configuration
Save and Test saves your configuration and immediately runs a validation flow against your IdP. You do not need to check the "Enable SSO" box to run a test, which means you can verify your credentials are correct before activating SSO for end users.
Prerequisites
All required fields (Client ID, Client Secret, and Discovery URL) in the Identity Provider Configuration pop-up window must be populated. "Enable SSO" does not need to be checked.
Steps
- Navigate to Organizations > [Organization Name] > Organization Details, and scroll to the End User Portal section:
- Click “Configure SSO.”
- Complete or verify the credential fields in the Identity Provider Configuration pop-up window.
- Click Save and Test.
Result
- If validation is successful, the pop-up window closes and you are returned to the Organization Details page with a success alert.
- If validation fails, you are stopped inside the SSO flow and will need to correct your configuration before proceeding.
In some cases testing may not be feasible. If you don't have access to a user account already configured in the IdP with valid credentials, you can save and enable SSO, then verify by logging in as an end user.
System Messages for the Identity Provider Configuration Pop-Up Window
Here are the messages you may see after saving or closing the Identity Provider Configuration pop-up window:
- IDP configuration saved. This means the configuration saved successfully.
- IDP configuration saved with invalid Discovery URL. The configuration saved but the Discovery URL could not be validated. SSO may not function correctly until the Discovery URL is corrected. Verify the URL in your IdP before enabling SSO.
- IDP configuration could not be saved. The save failed. No changes were applied. Check your connection and try again.
- IDP configuration changes discarded. You may have closed the pop-up window without saving by clicking Cancel, pressing Esc, or clicking outside the pop-up window. No changes were applied. Reopening the pop-up window will show the last saved configuration.
MFA Label Changes When SSO Bypass Is Enabled
When "Let SSO logins bypass MFA" is enabled at the Organization level, the MFA label updates in two places.
- On the Organization Details page in the Portal Users section, the label reads "Require MFA for this User (except in SSO)."
- On the End User Details page in the End User Portal section, the label reads "Require MFA (except in SSO)."
When "Let SSO logins bypass MFA" is disabled, both labels revert to their standard wording. Even if MFA is required for a given user, that requirement does not apply when the user authenticates via SSO.
Note: The “Let SSO logins bypass MFA” toggle only affects OIDC SSO sessions. It does not control the separate, automatic MFA bypass that can occur for Google sign-in based on Google's own MFA signal. See Public OAuth: Sign In with Microsoft & Google for details.