SSO (OIDC) & MFA (TOTP)
Single sign-on (OIDC)
Section titled “Single sign-on (OIDC)”DataSquares signs in against any OpenID Connect identity provider — Okta, Microsoft Entra ID, Google Workspace, Auth0, Keycloak, and anything else that speaks OIDC discovery.
Configuring it
Section titled “Configuring it”In Admin → Settings → Single sign-on, fill in:
| Field | Value |
|---|---|
| Issuer URL | your IdP’s OIDC discovery base URL |
| Client ID / Client secret | from the app registration you create in the IdP (the secret is write-only — leaving it blank on later edits keeps the stored value) |
| Auto-provision email domains | domains whose users may be created on first SSO sign-in |
| Auto-provision new users | toggle first-login account creation |
| SSO enabled | the master switch |
Signing in with SSO
Section titled “Signing in with SSO”Users click Sign in with SSO on the login page and enter their email — DataSquares looks up the organization by domain and redirects to your IdP. If SSO isn’t configured for that domain, the login page says so and password sign-in remains available.
Two-factor authentication (TOTP)
Section titled “Two-factor authentication (TOTP)”MFA is per-account, using any TOTP authenticator app (Google or Microsoft Authenticator, 1Password, …).
Enrolling
Section titled “Enrolling”From the account’s Two-factor authentication dialog: Set up two-factor shows a QR code (or a copyable setup key if you can’t scan), you enter the 6-digit code from your app, and Verify and enable turns it on — the factor only activates once a code proves you have it.
At sign-in
Section titled “At sign-in”With MFA enabled, password sign-in adds a second step: enter the current 6-digit code (valid for a 5-minute window; if it lapses you’re returned to the password step). Disabling MFA requires a current code too.