SSO / OIDC

Pro Feature

SSO/OIDC requires a Pro or Enterprise plan.

YipYap supports single sign-on (SSO) via the OpenID Connect (OIDC) protocol. This lets your team sign in with your existing identity provider instead of managing separate credentials.

Setup Guide

1. In your identity provider (Okta, Google Workspace, Entra ID, etc.), create a new OIDC application.
2. Set the application’s redirect URI to https://console.yipyap.run/auth/oidc/callback.
3. Copy the Client ID, Client Secret, and Issuer URL from your identity provider.
4. In YipYap, navigate to Settings > Security > SSO and click Configure OIDC.
5. Paste the Client ID, Client Secret, and Issuer URL into the form.
6. Click Save and test the connection by signing out and signing back in via SSO.
7. Optionally, enable Enforce SSO to require all members to authenticate through the OIDC provider.

Caution

Before enforcing SSO, make sure at least one admin account can sign in via OIDC. If the OIDC provider is misconfigured and SSO is enforced, you may lock your team out. Contact support if this happens.

Supported Providers

Any OIDC-compliant identity provider works with YipYap, including:

• Google Workspace
• Microsoft Entra ID (Azure AD)
• Okta
• Auth0
• Keycloak
• Authentik
• Zitadel

Configuration

1. Navigate to Settings > Security > SSO.
2. Click Configure OIDC.
3. Enter the following values from your identity provider:

Field	Description
Issuer URL	The OIDC discovery URL (e.g. https://accounts.google.com).
Client ID	The OAuth client ID assigned by your IdP.
Client Secret	The OAuth client secret.

4. Copy the Callback URL shown in YipYap and register it in your identity provider’s allowed redirect URIs.
5. Click Save.

Callback URL

The callback URL follows this pattern:

https://console.yipyap.run/auth/oidc/callback

Add this URL to your identity provider’s list of authorized redirect URIs.

Attribute Mapping

YipYap maps the following OIDC claims to user attributes:

OIDC Claim	YipYap Attribute
email	User email
name	Display name
sub	External user ID

If your provider uses non-standard claim names, you can configure custom attribute mappings in the advanced settings.

Enforcing SSO

Once configured, you can enforce SSO for your organization. When enforced:

• All members must sign in through the OIDC provider.
• Password-based login is disabled for the organization.
• New members are automatically provisioned on first login.

Troubleshooting

• Redirect mismatch: Verify that the callback URL in your IdP exactly matches the one shown in YipYap.
• Claims missing: Ensure your IdP is configured to include the email and name claims in the ID token.
• Login loop: Clear browser cookies and try again. Check that the issuer URL is correct and accessible.