Skip to main content
SSO is an Enterprise feature. Please reach out to our support team, your sales contact, or via our slack channel if you need to enable Enterprise features as you try out Statsig.
This documentation assumes that you already have an OIDC Provider up and running. Single Sign-On (SSO) with OIDC can be configured for your Statsig Organization to continue using your company’s identity store with Statsig and simplify the process for inviting your team to your Projects. New users will be automatically provisioned, once authenticated by your Identity Provider. Organizations are an Enterprise Tier feature. If your SSO requires multi-factor authentication (MFA), it is automatically required when your users sign into Statsig with SSO enabled.

Supported Providers

We support any Identity Provider (IdP) that implements the OIDC protocol for SSO. We have custom documentation for some of the following OIDC providers:

Configuration

In your Identity Provider

You will need to specify the following for your Statsig App: To enable SSO in Statsig, you will need to collect the following from your OIDC Provider:
  • OIDC Domain
  • Client ID
  • Client Secret

In Statsig Console

Once you have obtained all of the information mentioned above:
  1. Navigate to your Organization’s Info Settings page and click the Enable button for Single Sign-on.
Note that an Owner/Admin role in your Statsig organization is required to configure SSO on Statsig
SSO enable button in organization settings
  1. Provide the information acquired from your OIDC Provider into the fields in the dialog and click Enable.
SSO configuration dialog with OIDC provider fields
  1. After clicking Enable, an SSO link will be shown that can be sent to your team to allow them to login to Statsig through your OIDC Provider.
SSO link generated for team login
Users that sign in through an SSO link will automatically join any Projects that have SSO enabled with the same OIDC Provider, and have access only to those Projects. Users that sign in through an SSO link will also not be able to edit or view any of their personal account settings. By default, users who are provisioned via SSO will be assigned the “Member” Role. Enabling Strict SSO will require that all members of a Project besides the Owner must log in to the Statsig Console through SSO with the configured provider to access the Project.

Break Glass Scenarios

If you have configured SSO to be required, but corrupt your SSO config this will block people from logging in. In case of emergency, the user with the Owner role in the organization can use the break glass URL to sign in with a password (bypassing SSO). The break glass URL is https://console.statsig.com/login?method=password-only