HeadshotPro | Help Center
Home

SSO Setup

Connect your identity provider to HeadshotPro so team members authenticate through your company's existing SSO system.

SSO Setup

Single Sign-On (SSO) lets team members sign in to HeadshotPro using their corporate identity provider — Entra ID, Okta, Google Workspace, or any SAML-compatible IdP. Once active, you can enforce SSO organization-wide and optionally allow anyone with a verified domain email to join without a manual invite.

SSO is an enterprise add-on. Contact sales@headshotpro.com to have it activated for your organization.

How it works

Initial setup

  1. Go to Admin > Settings > Security.
  2. Locate the Single Sign-On (SSO) card. The status badge shows Disabled until setup is complete.
  3. Click Enable SSO.
    • If SSO has not been activated for your account, a dialog appears prompting you to contact sales. Email sales@headshotpro.com to request activation.
    • If SSO is activated, HeadshotPro provisions a WorkOS organization and opens the SSO configuration portal in a new tab.
  4. In the configuration portal, connect your identity provider by following the on-screen instructions. The portal supports SAML 2.0 and OAuth-based providers.
  5. Complete the portal steps and close the tab. HeadshotPro detects the completed setup and updates the SSO status to Enabled.

Reconfiguring SSO

After SSO is enabled, click Configure SSO Settings on the SSO card to reopen the configuration portal. Use this to update certificates, rotate metadata, or change the IdP connection.

Enforce SSO

When enabled, users whose email domains match a verified domain cannot sign in with email/password or social (Google, LinkedIn) logins — they must authenticate through SSO.

  1. Toggle Require SSO login on the SSO card.
  2. The change takes effect immediately. Users already logged in are not affected until their session expires.

Disable this toggle if you need to allow mixed authentication temporarily (e.g., during migration or for service accounts).

JIT provisioning (auto-join)

Just-in-time (JIT) provisioning automatically creates a HeadshotPro account and adds a user to your organization the first time they authenticate via SSO, without requiring a prior invitation.

  1. Toggle Auto-join (JIT Provisioning) on the SSO card.
  2. When active, anyone with an email on a verified domain who authenticates via your IdP is provisioned instantly.
  3. When inactive, users must be invited through the Members section before they can sign in via SSO.

Good to know

  • SSO is an enterprise add-on. Contact sales@headshotpro.com to discuss pricing and have it activated for your organization.
  • SSO is backed by WorkOS. The configuration portal is WorkOS-hosted and opens in a new tab.
  • Verified domains are managed inside the WorkOS portal, not inside HeadshotPro directly. After verifying a domain in the portal, the domains list on the SSO card updates automatically.
  • Enforce SSO defaults to enabled when you first activate SSO. Review this setting before completing setup if you need a transition period.
  • JIT provisioning defaults to disabled. Enable it only if you want an open-door policy for your domain — all verified-domain users will be able to join automatically.
  • SSO configuration is restricted to users with the TeamLead role.
  • SSO audit logs are available for reviewing authentication events at Admin > Audit Logs (/app/admin/audit-logs). You can filter by event type, date range, and user.
Was this article helpful?
Previous
← Security Controls
All articles