Set up single sign-on (SSO) - Lovable Documentation

Single sign-on (SSO) is available on Business and Enterprise plans and enables secure, centralized authentication across your organization. With SSO, users can access Lovable with one set of credentials, simplifying access management and improving security.

Service provider (SP)-initiated sign-in only: users must start sign-in from Lovable (SP).Identity provider (IdP)-initiated SSO (starting from an IdP dashboard tile) is not supported.

Supported SSO protocols

Lovable supports both OIDC and SAML 2.0 protocols, enabling integration with all major identity providers (IdP) including Okta, Auth0, Microsoft Entra ID (Azure AD), and more.

OpenID Connect (OIDC): recommended; a modern identity layer built on top of OAuth 2.0 that provides identity verification.
SAML (Security Assertion Markup Language) 2.0: XML-based protocol for exchanging authentication and authorization data, widely used in enterprise environments.

Prerequisites

To connect your identity provider to Lovable using OIDC or SAML, you need:

IdP admin access (Okta, Auth0, Microsoft Entra ID, or any other provider you’re using)
Lovable workspace owner or admin role
A verified domain in Lovable, to prove domain ownership
To verify your domain, add the TXT record displayed in the UI to your DNS provider. See Custom domains for more information.

Start SSO setup in Lovable

SSO configuration is a two-way setup between Lovable and your identity provider:

Lovable → IdP: copy Lovable URLs and settings into your IdP app.
IdP → Lovable: copy your IdP’s issuer, metadata, and certificates back into Lovable.

The workspace owner or admin can set up SSO. To start, go to Settings → Workspace → Identity → Add SSO provider, then choose OIDC or SAML.

IdP configuration reference

When you start the SSO provider setup in Lovable, you see:

What to configure in your IdP (for example, app type, scopes, and attribute mappings)
Lovable URLs and identifiers you may need to enter in the IdP.

Use the reference below while configuring OIDC or SAML in your IdP.

OIDC
SAML

Application type: Web Application
Grant type: Authorization Code
Token method: POST (if configurable)
Redirect URI to copy and add to your IdP: https://auth.lovable.dev/__/auth/handler
OAuth scopes:
- Required: openid, email
- Recommended: profile

ACS URL (Assertion Consumer Service): https://auth.lovable.dev/__/auth/handler
SP Entity ID / Audience URI: https://auth.lovable.dev/__/auth/handler
Attribute mappings:
- email (required): ensure the format is set to EmailAddress
- displayName (recommended): map to user’s full name
- photoURL (recommended): map to user’s profile picture URL

Provider-specific setup guides

If you use Okta, Auth0, or Microsoft Entra, you can find provider-specific documentation for setting up SSO. If you use another provider, see Configure other providers. Before you begin, complete Start SSO setup in Lovable to get the settings and values you need to use in your IdP.

Configure Okta as your SSO provider

OIDC
SAML

Create an application in Okta Admin Console

Under Applications, click Create App Integration and select OIDC. Then select the Web Application application type.
Give the app a name, for example Lovable OIDC SSO.

Configure OIDC integration

Set Grant type to Authorization Code
Remove the default redirect URIs.
Add the Lovable redirect URL to Okta Sign-in redirect URIs: https://auth.lovable.dev/__/auth/handler
Select Assignments: assign the application to your users/groups who should access Lovable.

Save application

Click Save. Your application is now created in Okta.

Configure Okta Issuer URL

In Okta, go to Sign On → OpenID Connect ID Token, select Okta URL from the Issuer dropdown, and Save.

Provide Lovable with your IdP information

In Okta, copy the following value from the Sign On tab and enter it in Lovable.

Okta Issuer URL → Lovable OIDC Issuer URL/Discovery Endpoint

In Okta, copy the following values from the General tab and enter them in Lovable.

Okta Client ID → Lovable OAuth Client ID/Application ID
Okta Client Secret → Lovable OAuth Client Secret

Configure display name and SSO login identifier (tenant ID)

In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

Display name: The name shown to users during authentication.
SSO login identifier (tenant ID): The URL users will use to sign in directly with SSO.

(Optional) Test the configuration in Lovable

In Lovable, click Test configuration. If everything is configured correctly, the validation should be successful.

Finish OIDC provider configuration in Lovable

In Lovable, click Configure provider to finish the configuration of Okta as your OIDC SSO provider.

Create an application in Okta Admin Console

Under Applications, click Create App Integration and select SAML 2.0.
Give the app a name, for example Lovable SAML SSO.

Configure SAML settings

Single sign-on URL: https://auth.lovable.dev/__/auth/handler
Audience URI (SP Entity ID): https://auth.lovable.dev/__/auth/handler
Name ID format: EmailAddress

Save application

Click Finish. Your application is now created in Okta.

Provide Lovable with your IdP information

In Okta, go to Sign On → SAML 2.0 → Metadata details, and copy the Metadata URL.In Lovable, choose between quick SAML provider setup or manual configuration:Option 1: Quick setup - import from metadata URLIn Lovable, paste the metadata URL in Quick setup: Import from Metadata URL field. Click Test & Import to automatically populate the required fields below.Option 2: Manual configurationOpen the metadata URL in a new tab. Copy the following Metadata URL values and enter them in Lovable:

Okta SingleSignOnService Location → Lovable SAML SSO Sign-on URL from your IdP
Okta EntityID → Lovable Identity Provider Entity ID / Issuer
Okta X509Certificate → Lovable X.509 Signing Certificate (public key)
Paste the certificate value between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

Configure display name and SSO login identifier (tenant ID)

In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

Display name: The name shown to users during authentication.
SSO login identifier (tenant ID): The URL users will use to sign in directly with SSO.

Finish SAML provider configuration in Lovable

In Lovable, click Configure SAML Provider → Confirm & Enable SSO to finish the configuration of Okta as your SAML SSO provider.

Configure Auth0 as your SSO provider

OIDC
SAML

Create an application in Auth0 Admin Dashboard

Under Applications, click Create application. Select the Regular Web Applications application type.
Give the app a name, for example Lovable OIDC SSO.
Click Create.

Configure Allowed Callback URLs

In Auth0, navigate to your application settings, add the Allowed Callback URLs: https://auth.lovable.dev/__/auth/handler, and click Save.

Provide Lovable with your IdP information

In Auth0, copy the following values from the Settings tab and enter them in Lovable.

Auth0 Domain → Lovable OIDC Issuer URL/Discovery Endpoint (include https://)
Auth0 Client ID → Lovable OAuth Client ID/Application ID
Auth0 Client Secret → Lovable OAuth Client Secret

Configure display name and SSO login identifier (tenant ID)

In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

Display name: The name shown to users during authentication.
SSO login identifier (tenant ID): The URL users will use to sign in directly with SSO.

(Optional) Test configuration in Lovable

In Lovable, click Test configuration. If you configured everything accurately, the validation should be successful.

Finish OIDC provider configuration in Lovable

In Lovable, click Configure provider to finish the configuration of Auth0 as your OIDC SSO provider.

Create an application in Auth0 Admin Dashboard

Under Applications, click Create application. Select the Regular Web Applications application type.
Give the app a name, for example Lovable SAML SSO.
Click Create.

Configure Allowed Callback URLs

In Auth0, navigate to your application settings, add the Allowed Callback URLs: https://auth.lovable.dev/__/auth/handler, and click Save.

Configure SAML2 Web App Add-on

In Auth0, navigate to Addons, and enable SAML2 Web app.
In Addon: SAML2 Web app → Settings, set:
- Application Callback URL: https://auth.lovable.dev/__/auth/handler
- Settings: paste the following mappings JSON

    {
      "mappings": {
        "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
      },
      "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    }

Click Enable.

Provide Lovable with your IdP information

In Lovable, choose between quick SAML provider setup or manual configuration:Option 1: Quick setup - import from metadata URL

In Auth0 → Addon: SAML2 Web app → Usage, locate the Identity Provider Metadata, and click the arrow icon to get the URL.
In Lovable, paste the metadata URL in Quick setup: Import from Metadata URL field.
Click Test & Import to automatically populate the required fields below.

Option 2: Manual configurationIn Auth0 → Addon: SAML2 Web app → Usage, copy the following SAML Protocol Configuration Parameter values and enter them in Lovable.

Auth0 Identity Provider Login URL → Lovable SAML SSO Sign-on URL from your IdP
Auth0 Issuer → Lovable Identity Provider Entity ID / Issuer
Auth0 Identity Provider Certificate (X509Certificate) → Lovable X.509 Signing Certificate (public key)
Download Auth0 certificate and copy the X509Certificate value. Paste the certificate value between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

Configure display name and SSO login identifier (tenant ID)

In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

Display name: The name shown to users during authentication.
SSO login identifier (tenant ID): The URL users will use to sign in directly with SSO.

Finish SAML provider configuration in Lovable

In Lovable, click Configure SAML Provider → Confirm & Enable SSO to finish the configuration of Auth0 as your SAML SSO provider.

Configure Microsoft Entra ID as your SSO provider

SAML

Create an enterprise app in Microsoft Entra admin center

Under Enterprise applications, select New application.
Select Create your own application and choose Integrate any other application you don’t find in the gallery (Non-gallery).
Give the app a name, for example Lovable SAML SSO.
Click Create. Your application is now created.

Configure SAML SSO

In Microsoft Entra, navigate to the Single sign-on setup page and select SAML. Under Basic SAML Configuration, enter the following:

Identifier (Entity ID): https://auth.lovable.dev/__/auth/handler
Reply URL (Assertion Consumer Service URL): https://auth.lovable.dev/__/auth/handler

Leave the other values blank and select Save.

Provide Lovable with your IdP information

When the application is set up in Microsoft Entra, you can choose between quick SAML provider setup or manual configuration in Lovable.Option 1: Quick setup - import from metadata URL

In Microsoft Entra, go to SAML Certificates and copy the App Federation Metadata URL.
In Lovable, paste the App Federation Metadata URL in Quick setup: Import from Metadata URL field.
Click Test & Import to automatically populate the required fields below.

Option 2: Manual configurationCopy the following values in Microsoft Entra and enter them in Lovable.

Microsoft Entra Login URL → Lovable SAML SSO Sign-on URL from your IdP
Microsoft Entra Microsoft Entra Identifier → Lovable Identity Provider Entity ID / Issuer
Microsoft Entra X509Certificate → Lovable X.509 Signing Certificate (public key)
You can download the certificate (Base 64) or open the App Federation Metadata URL in a new tab and copy the X509Certificate value. Paste the certificate value between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

Configure display name and SSO login identifier (tenant ID)

In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

Display name: The name shown to users during authentication.
SSO login identifier (tenant ID): The URL users will use to sign in directly with SSO.

Finish SAML provider configuration in Lovable

In Lovable, click Configure SAML Provider → Confirm & Enable SSO to finish the configuration of Microsoft Entra ID as your SAML SSO provider.

Configure other providers

You can configure any OIDC or SAML-compliant provider with Lovable SSO. Before you begin, complete Start SSO setup in Lovable to get the settings and values you need to use in your IdP.

OIDC
SAML

Provider mappingCommon field names across providers:

Redirect URI: Callback URL, Sign-in redirect URI
Issuer/Domain: Issuer URL, Authority, Okta domain, Auth0 domain, Tenant domain
Client credentials: Client ID and Client Secret

Steps

Create an OIDC confidential app

Create a new OIDC Web application in your identity provider.

Configure redirect URI

In Redirect/Callback URLs, add https://auth.lovable.dev/__/auth/handler

Enable required scopes

Ensure openid and email scopes are enabled and consented if needed.

Provide Lovable with your IdP information

In your IdP, locate the corresponding values and enter them in Lovable:

Domain or Issuer URL → Lovable OIDC Issuer URL/Discovery Endpoint
Client ID → Lovable OAuth Client ID/Application ID
Client Secret → Lovable OAuth Client Secret

Configure display name and SSO login identifier (tenant ID)

In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

Display name: The name shown to users during authentication.
SSO login identifier (tenant ID): The URL users will use to sign in directly with SSO.

Provider mappingCommon field names across providers:

ACS URL: Single Sign-On URL, SSO URL, Reply URL, Assertion Consumer Service URL
Audience: SP Entity ID, Audience URI, Identifier
Attribute mapping: Attribute Statements, User Attributes & Claims

Steps

Create a SAML 2.0 application

Create a new SAML 2.0 application in your provider.

Configure endpoints

ACS URL: https://auth.lovable.dev/__/auth/handler
Audience / Entity ID: https://auth.lovable.dev/__/auth/handler

Map attributes

Ensure email is included in the SAML assertion. displayName is optional.

Assign users

Assign the application to users/groups who should access Lovable.

Provide Lovable with your IdP information

In Lovable, choose between quick SAML provider setup or manual configuration:Option 1: Quick setup - import from metadata URL

In your IdP, locate your SAML metadata URL (typically found in the SAML application settings or metadata details)
In Lovable, paste the metadata URL in Quick setup: Import from Metadata URL field.
Click Test & Import to automatically populate the required fields below.

Option 2: Manual configurationIn your IdP, locate the corresponding values and enter them in Lovable:

Login URL → Lovable SAML SSO Sign-on URL from your IdP
Identifier/Issuer/Entity ID → Lovable Identity Provider Entity ID / Issuer
X509Certificate → Lovable X.509 Signing Certificate (public key)

Configure display name and SSO login identifier (tenant ID)

In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

Display name: The name shown to users during authentication.
SSO login identifier (tenant ID): The URL users will use to sign in directly with SSO.

Troubleshooting

OIDC
SAML

Invalid or mismatched Redirect URI

Ensure the redirect/callback URL exactly matches https://auth.lovable.dev/__/auth/handler in your IdP.

Issuer URL / discovery fails

Use the provider’s OIDC Issuer URL (not just the domain).

For Okta, copy from the Sign-on tab
For Auth0, use your tenant domain.

Email not returned

Grant the email scope and ensure the user account has a primary email.

Authorization flow issues

Use Authorization Code with a confidential client and client secret. Avoid implicit or PKCE-only app types.

Invalid ACS or Audience

Ensure both ACS and Audience/Entity ID exactly match https://auth.lovable.dev/__/auth/handler in your IdP.

Email claim missing

Make sure to map an email claim.For Microsoft Entra ID, map email to user.mail. If user.mail is empty, use user.userprincipalname.

Provider credentials invalid

Paste the correct X.509 certificate. If the certificate rotates, update it in Lovable.

FAQ

I already have an account, but I'm joining a business workspace that uses SSO. How do I log in?

If you created your account using another login method (like email/password, Google, or GitHub), you need to log in that way first. Once you’re logged in, navigate to Settings → Your account → Link SSO. This will link your existing account to your company SSO.

Important: If you attempt to log in with SSO before linking your existing account, you’ll see an error. This is a security measure to prevent unauthorized access. Log in using your original method first to complete the linking process.

Which SSO providers does Lovable support?

Lovable supports the industry-standard OIDC and SAML protocols, so you can integrate with any SSO provider that supports them.

Does Lovable support multiple SSO providers per workspace?

No. A workspace can have one active SSO provider configured at a time.

Can I enforce SSO for my workspace?

Yes. The workspace owner or admin can enable Enforce SSO in Settings → Workspace → Identity and choose the session duration to configure how long users stay signed in before requiring re-authentication (24 hours, 48 hours, or 7 days).This requires all workspace members to use SSO for authentication. External collaborators and invite links will be disabled.

Does Lovable support IdP-initiated SSO?

No. IdP-initiated SSO (starting from an IdP dashboard tile) is not supported.Lovable supports SP-initiated sign-in only. Users must start sign-in from Lovable.

Does Lovable support SCIM or automatic user provisioning?

Lovable supports JIT (just-in-time) provisioning: user accounts are created automatically the first time someone signs in via SSO, and they’re added to your company workspace.You can also set a default role for JIT-created users (admin, editor, or viewer) that will be applied when they join via SSO for the first time.

How can I find my tenant ID (SSO login identifier)?

Your tenant ID is the {tenantId} value used in your SSO login URL:
https://lovable.dev/sso-login/{tenantId}. It matches the SSO login identifier you configured when setting up your SSO provider in Lovable.You can also find it in Settings → Workspace → Identity after you have configured your provider.

How can I edit my SSO provider configuration?

You cannot edit your configured SSO provider. To make any updates, you first need to delete the existing SSO provider and then configure it again.

​Supported SSO protocols

​Prerequisites

​Start SSO setup in Lovable

​IdP configuration reference

​Provider-specific setup guides

​Configure Okta as your SSO provider

​Configure Auth0 as your SSO provider

​Configure Microsoft Entra ID as your SSO provider

​Configure other providers

​Troubleshooting

​FAQ

Supported SSO protocols

Prerequisites

Start SSO setup in Lovable

IdP configuration reference

Provider-specific setup guides

Configure Okta as your SSO provider

Configure Auth0 as your SSO provider

Configure Microsoft Entra ID as your SSO provider

Configure other providers

Troubleshooting

FAQ