How Single Sign-On (SSO) Works in Luzmo

Single Sign-On (SSO) lets your teams log in to the Luzmo app using their company credentials managed by your Identity Provider (IdP), such as Okta, Microsoft Entra ID (formerly Azure AD), or Google Workspace.

Luzmo supports the OpenID Connect (OIDC) protocol, which is compatible with most modern IdPs. This setup allows you to centralize user authentication and enhance login security across your organization.

⚠️ Important: This setup only applies to logging into the Luzmo app (app.luzmo.com**)**. It does not affect how users access embedded dashboards inside your own application.

1. Setting up SSO as an Organization Owner

Plans & Access

• SSO is included by default in the Elite and Enterprise plans.
• Available as an add-on for other plans. Contact our sales team via hello@luzmo.com or our Customer Success team via cs@luzmo.com to find out more.
• Only Organization Owners can configure and manage SSO.

Step 1 – Create an App in Your Identity Provider (IdP)

To get started, create a Luzmo application in your Identity Provider (IdP), such as Okta or Azure AD.

You will be asked to provide values that Luzmo generates for your organization, including:

• Callback URL
• IdP-Initiated Login URL (optional)
• Required OAuth endpoints (Authorization URL, Token URL, User Info URL)

These values are available in the SSO Settings section at the bottom of the Organization Settings page.

Step 2 – Fill in the SSO Configuration in Luzmo

Luzmo provides:

• Organization UUID
• Callback URL (adapts to your domain/VPC)
• IdP-Initiated Login URL (optional)

You provide:

• Client ID & Secret
• Issuer URL
• Authorization URL
• Token URL
• User Info URL

If your IdP supports OIDC discovery, Luzmo can autofill the last three endpoints when you enter the Issuer URL.

Step 3 – Disable email/password login (Optional)

By default, users can log in using either their email/password or via SSO.

If you want to enforce SSO as the only login method, you can enable the "Disable email/password login" toggle. However, to avoid accidental lockouts:

• You must complete at least one successful SSO login before this option becomes available.
• If no successful SSO login has occurred yet, we will show a warning and prevent the toggle from being activated.

Additionally, if you make changes to your SSO configuration (e.g., Client ID, Issuer URL), the toggle will be automatically disabled. You’ll need to test SSO login again before enforcing it.

This ensures your SSO setup is working correctly before removing password access.

Once the toggle is enabled:

• Standard email/password login is disabled for all users in your organization.
• All authentication must happen through your configured Identity Provider (IdP).

2. How Users Log in with SSO

Luzmo supports two login flows: from the Luzmo login page and directly from your IdP.

A. Logging in from the Luzmo Login Page

1. The user lands on app.luzmo.com and clicks the SSO button.
2. They enter their email.
3. Luzmo checks if the organization uses SSO and redirects the user to the IdP.
4. After successful authentication, the user is redirected back to Luzmo and logged in.

If any part of the login fails (invalid user, token error, misconfiguration), the user will receive a clear error message and be redirected to retry.

B. Logging in Directly from the IdP (App-Initiated Login)

Many IdPs let users launch applications from a dashboard (e.g., Okta).

1. The user clicks the Luzmo app from the IdP dashboard.
2. The IdP redirects the user to a Luzmo login URL that includes the organization ID.
3. Luzmo completes the login process as usual.

3. How SSO Affects Login & User Access

By default, organizations can allow users to log in using either SSO or standard email/password.

If the “Disable email/password login” option is turned on in your organization settings:

• Only SSO login will be allowed — Users will no longer be able to sign in using email/password credentials.
• All authentication will go through your Identity Provider (IdP)
• User identification is based on email — Luzmo uses the email returned by your IdP to recognize users and grant access.

If needed, you can re-enable password login at any time — this gives you flexibility while transitioning to a full SSO setup.

What Stays the Same

SSO controls how users log in, but it doesn’t manage who has access to Luzmo. (User provisioning is not yet supported in this first release.)

• Users need to exist in Luzmo before they can log in — If someone tries to sign in via SSO but doesn't yet have a Luzmo account, the login will fail.
• Organization Owners are responsible for creating and managing users — You can do this manually through the UI or automate it using our API.
• User removal isn’t automatic — If someone leaves your organization or is removed from your IdP, you’ll need to update their Luzmo access separately.

We don’t yet have an ETA for when automatic user provisioning will be available, but please register your interest via our roadmap and our Product team will take it into consideration.

Common Scenarios and Expected Behavior

• A user is created in Luzmo, but later deleted from the IdP → They will no longer be able to log in, but their account remains.
• The Disable email/password login toggle is turned off → users who had passwords before can use them again.
• A user didn’t have a password before → They can set a new password by clicking “Forgot password” on the login page

4. Frequently Asked Questions

Q: Do you support Google/Microsoft/Okta/others?

Yes — Luzmo supports any IdP compatible with OIDC.

Q: Can we use SAML instead of OIDC?

Not at this time — we only support OIDC in the current version.

Q: Can I give access to users outside my organization (e.g. partners)?

Yes. You can either:

• Keep email/password login active, or
• Create external users in your IdP.

Q: Is anything deleted when switching login methods?

No. Disabling email/password login affects authentication only, not accounts or data.