Skip to main content
SSO is an Enterprise feature. Please reach out to our support team, your sales contact, or via our Slack community if you need to enable Enterprise features as you try out Statsig.
This documentation assumes that you already have an OIDC Provider up and running. Single Sign-On (SSO) with OIDC can be configured for your Statsig Organization to continue using your company’s identity store with Statsig and simplify the process for inviting your team to your Projects. New users will be automatically provisioned, once authenticated by your Identity Provider. Organizations are an Enterprise Tier feature. If your SSO requires multi-factor authentication (MFA), it is automatically required when your users sign into Statsig with SSO enabled.

Supported Providers

We support any Identity Provider (IdP) that implements the OIDC protocol for SSO. We have custom documentation for some of the following OIDC providers:

Configuration

In your Identity Provider

You will need to specify the following for your Statsig App: To enable SSO in Statsig, you will need to collect the following from your OIDC Provider:
  • OIDC Domain
  • Client ID
  • Client Secret

In Statsig Console

Once you have obtained all of the information mentioned above:
  1. Navigate to your Organization’s Info Settings page and click the Enable button for Single Sign-on.
An Owner/Admin role in your Statsig organization is required to configure SSO on Statsig
SSO enable button in organization settings
  1. Provide the information acquired from your OIDC Provider into the fields in the dialog and click Enable.
SSO configuration dialog with OIDC provider fields
  1. After clicking Enable, an SSO link will be shown that can be sent to your team to allow them to login to Statsig through your OIDC Provider.
SSO link generated for team login
By default, users who are provisioned via SSO will be assigned the “Member” role in the organization. If the organization has only one open project, users that sign in through an SSO link will automatically join any Projects that have SSO enabled with the same OIDC Provider. If there are multiple projects, users will be added to the organization but will need to request to join open projects or be invited to closed projects. Enabling Strict SSO will require that all members of a Project besides the Owner must log in to the Statsig Console through SSO with the configured provider to access the Project.

Break Glass Scenarios

If you have configured SSO to be required, but corrupt your SSO config this will block people from logging in. In case of emergency, the user with the Owner role in the organization can use the break glass URL to sign in with a password (bypassing SSO). The break glass URL is https://console.statsig.com/login?method=password-only