Skip to main content
Single sign-on (SSO) is available on Business and Enterprise plans and enables secure, centralized authentication across your organization. With SSO, users can access Lovable with one set of credentials, simplifying access management and improving security.
Service provider (SP)-initiated sign-in only: users must start sign-in from Lovable (SP).Identity provider (IdP)-initiated SSO (starting from an IdP dashboard tile) is not supported.

Supported SSO protocols

Lovable supports both OIDC and SAML 2.0 protocols, enabling integration with all major identity providers (IdP) including Okta, Auth0, Microsoft Entra ID (Azure AD), and more.
  • OpenID Connect (OIDC): recommended; a modern identity layer built on top of OAuth 2.0 that provides identity verification.
  • SAML (Security Assertion Markup Language) 2.0: XML-based protocol for exchanging authentication and authorization data, widely used in enterprise environments.

Prerequisites

To connect your identity provider to Lovable using OIDC or SAML, you need:
  • IdP admin access (Okta, Auth0, Microsoft Entra ID, or any other provider you’re using)
  • Lovable workspace owner or admin role
  • A verified domain in Lovable

Start SSO setup in Lovable

SSO configuration is a two-way setup between Lovable and your identity provider:
  • Lovable → IdP: copy Lovable URLs and settings into your IdP app.
  • IdP → Lovable: copy your IdP’s issuer, metadata, and certificates back into Lovable.
The workspace owner or admin can set up SSO. To start, go to Settings → Workspace → Identity → Add SSO provider, then choose OIDC or SAML.

IdP configuration reference

When you start the SSO provider setup in Lovable, you see:
  • What to configure in your IdP (for example, app type, scopes, and attribute mappings)
  • Lovable URLs and identifiers you may need to enter in the IdP.
Use the reference below while configuring OIDC or SAML in your IdP.
  • Application type: Web Application
  • Grant type: Authorization Code
  • Token method: POST (if configurable)
  • Redirect URI to copy and add to your IdP: https://auth.lovable.dev/__/auth/handler
  • OAuth scopes:
    • Required: openid, email
    • Recommended: profile

Provider-specific setup guides

If you use Okta, Auth0, or Microsoft Entra, you can find provider-specific documentation for setting up SSO. If you use another provider, see Configure other providers. Before you begin, complete Start SSO setup in Lovable to get the settings and values you need to use in your IdP.

Configure Okta as your SSO provider

1

Create an application in Okta Admin Console

  • Under Applications, click Create App Integration and select OIDC. Then select the Web Application application type.
  • Give the app a name, for example Lovable OIDC SSO.
2

Configure OIDC integration

  • Set Grant type to Authorization Code
  • Remove the default redirect URIs.
  • Add the Lovable redirect URL to Okta Sign-in redirect URIs: https://auth.lovable.dev/__/auth/handler
  • Select Assignments: assign the application to your users/groups who should access Lovable.
3

Save application

Click Save. Your application is now created in Okta.
4

Configure Okta Issuer URL

In Okta, go to Sign On → OpenID Connect ID Token, select Okta URL from the Issuer dropdown, and Save.
5

Provide Lovable with your IdP information

In Okta, copy the following value from the Sign On tab and enter it in Lovable.
  • Okta Issuer URL → Lovable OIDC Issuer URL/Discovery Endpoint
In Okta, copy the following values from the General tab and enter them in Lovable.
  • Okta Client ID → Lovable OAuth Client ID/Application ID
  • Okta Client Secret → Lovable OAuth Client Secret
6

(Optional) Test the configuration in Lovable

In Lovable, click Test configuration. If everything is configured correctly, the validation should be successful.
7

Finish OIDC provider configuration in Lovable

In Lovable, click Configure provider to finish the configuration of Okta as your OIDC SSO provider.

Configure Auth0 as your SSO provider

1

Create an application in Auth0 Admin Dashboard

  • Under Applications, click Create application. Select the Regular Web Applications application type.
  • Give the app a name, for example Lovable OIDC SSO.
  • Click Create.
2

Configure Allowed Callback URLs

In Auth0, navigate to your application settings, add the Allowed Callback URLs: https://auth.lovable.dev/__/auth/handler, and click Save.
3

Provide Lovable with your IdP information

In Auth0, copy the following values from the Settings tab and enter them in Lovable.
  • Auth0 Domain → Lovable OIDC Issuer URL/Discovery Endpoint (include https://)
  • Auth0 Client ID → Lovable OAuth Client ID/Application ID
  • Auth0 Client Secret → Lovable OAuth Client Secret
4

(Optional) Test configuration in Lovable

In Lovable, click Test configuration. If you configured everything accurately, the validation should be successful.
5

Finish OIDC provider configuration in Lovable

In Lovable, click Configure provider to finish the configuration of Auth0 as your OIDC SSO provider.

Configure Microsoft Entra ID as your SSO provider

1

Create an enterprise app in Microsoft Entra admin center

  • Under Enterprise applications, select New application.
  • Select Create your own application and choose Integrate any other application you don’t find in the gallery (Non-gallery).
  • Give the app a name, for example Lovable SAML SSO.
  • Click Create. Your application is now created.
2

Configure SAML SSO

In Microsoft Entra, navigate to the Single sign-on setup page and select SAML. Under Basic SAML Configuration, enter the following:
  • Identifier (Entity ID): https://auth.lovable.dev/__/auth/handler
  • Reply URL (Assertion Consumer Service URL): https://auth.lovable.dev/__/auth/handler
Leave the other values blank and select Save.
3

Provide Lovable with your IdP information

When the application is set up, copy the following values and enter them in Lovable.
  • Microsoft Entra Login URL → Lovable SAML SSO Sign-on URL from your IdP
  • Microsoft Entra Microsoft Entra Identifier → Lovable Identity Provider Entity ID / Issuer
  • Microsoft Entra X509Certificate → Lovable X.509 Signing Certificate (public key)
    You can download the certificate (Base 64) or open the App Federation Metadata URL in a new tab and copy the X509Certificate value. Paste the certificate value between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
4

Finish SAML provider configuration in Lovable

In Lovable, click Configure SAML Provider → Confirm & Enable SSO to finish the configuration of Microsoft Entra ID as your SAML SSO provider.

Configure other providers

You can configure any OIDC or SAML-compliant provider with Lovable SSO. Before you begin, complete Start SSO setup in Lovable to get the settings and values you need to use in your IdP.
Provider mappingCommon field names across providers:
  • Redirect URI: Callback URL, Sign-in redirect URI
  • Issuer/Domain: Issuer URL, Authority, Okta domain, Auth0 domain, Tenant domain
  • Client credentials: Client ID and Client Secret
Steps
1

Create an OIDC confidential app

Create a new OIDC Web application in your identity provider.
2

Configure redirect URI

In Redirect/Callback URLs, add https://auth.lovable.dev/__/auth/handler
3

Enable required scopes

Ensure openid and email scopes are enabled and consented if needed.
4

Provide Lovable with your IdP information

In your IdP, copy the following values and enter them in Lovable:
  • Domain or Issuer URL → Lovable OIDC Issuer URL/Discovery Endpoint
  • Client ID → Lovable OAuth Client ID/Application ID
  • Client Secret → Lovable OAuth Client Secret

Troubleshooting

Ensure the redirect/callback URL exactly matches https://auth.lovable.dev/__/auth/handler in your IdP.
Use the provider’s OIDC Issuer URL (not just the domain).
  • For Okta, copy from the Sign-on tab
  • For Auth0, use your tenant domain.
Grant the email scope and ensure the user account has a primary email.
Use Authorization Code with a confidential client and client secret. Avoid implicit or PKCE-only app types.

FAQ

If you created your account using another login method (like email/password, Google, or GitHub), you need to log in that way first. Once you’re logged in, navigate to Settings → Your account → Link SSO. This will link your existing account to your company SSO.
Important: If you attempt to log in with SSO before linking your existing account, you’ll see an error. This is a security measure to prevent unauthorized access. Log in using your original method first to complete the linking process.
Lovable supports the industry-standard OIDC and SAML protocols, so you can integrate with any SSO provider that supports them.
No. A workspace can have one active SSO provider configured at a time.
Yes. The workspace owner or admin can enable Enforce SSO in Settings → Workspace → Identity and choose the session duration to configure how long users stay signed in before requiring re-authentication (24 hours, 48 hours, or 7 days).This requires all workspace members to use SSO for authentication. External collaborators and invite links will be disabled.
No. IdP-initiated SSO (starting from an IdP dashboard tile) is not supported.Lovable supports SP-initiated sign-in only. Users must start sign-in from Lovable.
Lovable supports JIT (just-in-time) provisioning: user accounts are created automatically the first time someone signs in via SSO, and they’re added to your company workspace.You can also set a default role for JIT-created users (admin, editor, or viewer) that will be applied when they join via SSO for the first time.
Your tenant ID is the {tenantId} value used in your SSO login URL:
https://lovable.dev/sso-login/{tenantId}. It matches the SSO login identifier you configured when setting up your SSO provider in Lovable.You can also find it in Settings → Workspace → Identity after you have configured your provider.