How do I set up Single Sign-On (SSO) with Monta?
Explains how to configure OpenID Connect (OIDC) Single Sign-On for Monta Hub. Use this article to connect your identity provider and centralise user authentication.
Monta supports Single Sign-On using OpenID Connect (OIDC), allowing operators to authenticate users through their existing OAuth 2.0 Identity Providers (IdPs) such as Microsoft Azure AD, Google, Auth0, and others that follow the OIDC standard.
Why use SSO with Monta?
SSO improves your organization’s security and simplifies user management by centralizing authentication.
Key benefits include:
- Enhanced security – Centralized control and MFA enforcement.
- Streamlined user access – Users log in once to access Monta and other company apps.
- Simplified administration – Add or remove users directly through your IdP.
- Enterprise readiness – SSO is a core requirement for larger teams and partners.
Supported providers
Monta currently supports OIDC-based IdPs, including:
- Microsoft Entra ID (Azure AD)
- Okta
- Google Workspace
- OneLogin
- Auth0
Set Up OIDC SSO in Monta
1. Configure your OpenID Connect provider
Add the following redirect URI to your IdP configuration:
Redirect URI:
Replace {PROVIDER_ID} with your operator identifier.
2. Provide configuration details to Monta
To complete the setup, send the following information to your Monta representative:
| Field | Description |
|---|---|
| Provider type | Microsoft, Google, Auth0, or any OIDC-compliant provider |
| Issuer URL | Base URL used to resolve IdP metadata |
| Tenant ID | Required for Microsoft Azure AD only |
| Client ID | Public identifier for the application |
| Client secret | Secret shared between the IdP and Monta |
| Email domains | Domains linked to this IdP configuration. Users from these domains: • Can auto-select the correct IdP on the login page • Will be restricted to SSO-only login by default. Contact Monta if dual login (SSO + email/password) is required |
First-time SSO login
If a user already has a Monta account with a corporate email address, they must sign in once using their existing login method (email/password, SMS, etc.).
Monta will link their new OIDC identity to the existing account.
Session lifetimes
Default values:
- Session lifetime: 30 days
- Inactive session timeout: 1 day
These can be customized per operator by contacting Monta.
Role mapping (just-in-time role syncing)
Monta can read role information from the IdP-issued ID token and apply Monta roles automatically at each SSO login.
- Roles update every time a user signs in through SSO
- Requires coordination with Monta to configure role claims and mappings
Contact Monta to enable and configure this feature.
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| MFA prompts not showing | Not enforced in IdP | Enable MFA policies directly in your IdP. |
| Role mismatch | Incorrect claims mapping | Ensure role claims (e.g., groups or role) are configured correctly in the IdP. |
| Token errors | Invalid or expired secret | Regenerate the client secret in your IdP and update Monta. |