Understanding Single Sign-On (SSO) with Konvert

SSO is available for Professional (addon cost) and Enterprise subscription plans. One connection is included with an Enterprise subscription, additional are available as an addon. Additional setup fees required.


Konvert supports flexible Single Sign-On (SSO) configurations to help streamline user authentication across organizations. Whether you're integrating Konvert into your existing identity infrastructure or want to use Konvert to authenticate users into external systems, we provide both Inbound and Outbound SSO options, supporting industry-standard protocols like SAML 2.0 and OAuth 2.0.

This article provides an overview of how SSO works with Konvert, including key concepts like user provisioning, identity federation, and how to pass user metadata such as group memberships or account associations.

🔐 What is Single Sign-On (SSO)?

Single Sign-On (SSO) allows users to log in once and access multiple systems or applications without re-entering their credentials. It improves security and simplifies the user experience across platforms.

Konvert supports two primary SSO configurations:

📥 Inbound SSO (Konvert as a Service Provider)

In this mode, Konvert acts as a Service Provider (SP). This allows users to authenticate via your organization’s identity provider (IdP), such as Okta, Azure AD, Google Workspace, or any other SAML 2.0 or OAuth 2.0 compliant provider.

Supported Protocols:

  • SAML 2.0
  • OAuth 2.0 / OpenID Connect (OIDC)

Typical Use Cases:

  • Enterprise customers who want to control access using their existing IdP.
  • Seamless login experience for internal employees accessing Konvert.

Information to Provide for Setup:

To configure Inbound SSO, you’ll need to provide:

  • IdP Metadata URL or XML

    SAML Assertion Claims or OAuth Scopes to include:

    • Email address
    • Name
    • Unique User ID
    • Optional: Group memberships, roles, or custom attributes
  • Signing certificates (for SAML)
  • Redirect URIs (for OAuth)

📤 Outbound SSO (Konvert as an Identity Provider)

In this mode, Konvert acts as the Identity Provider (IdP). This enables users authenticated in Konvert to access external applications or platforms without additional logins.

Supported Protocols:

  • SAML 2.0
  • OAuth 2.0 / OIDC

Typical Use Cases:

  • Use Konvert as the central hub for user identity.
  • Extend access from Konvert to third-party platforms such as analytics tools, customer portals, or internal apps.

Information to Provide for Setup:

To configure Outbound SSO, external systems need:

  • Konvert IdP Metadata URL
  • SAML Attributes or OIDC claims Konvert will send (e.g., email, user ID)
  • Redirect URL / Assertion Consumer Service (ACS) URL

👥 User Provisioning

Konvert offers flexible user provisioning options to support automatic user account creation and management when using SSO.


Just-in-Time (JIT) Provisioning – Users are automatically created in Konvert upon first login via SSO, based on the identity information passed from the IdP.


Attributes for Provisioning:

During provisioning, Konvert can ingest attributes such as:

  • Full name
  • Email
  • Job title or role
  • Group or department
  • Associated account(s)
  • Custom fields (configurable per portal)

🧾 Passing Group Membership and Account Data

To support role-based access and account associations, Konvert can receive and interpret additional claims or attributes during SSO:

  • Group Memberships: SSO tokens can include group IDs and names.
  • Associated Accounts: SSO tokens can include associated account IDs and names.

These attributes can be used for:

  • Fine-grained access control
  • UI customization per user

Please contact our team to get a new SSO connection established, or make a modification to an existing one.