How to Configure and Use Single Sign-On (SSO) in Odoo: A Complete Step-by-Step Guide

Single Sign-On is one of those features that quietly disappears into the background once it works — your users stop juggling passwords, your IT team stops resetting them, and logging in becomes a single click. In Odoo, setting up SSO is far more approachable than most people expect, but the documentation tends to be scattered across modules, provider consoles, and version-specific screenshots.

This guide brings it all together. Whether you're running Odoo Community or Enterprise, on-premise or on Odoo.sh, the principles here apply across every recent version. By the end, you'll know exactly what SSO is, why it matters for your business, and how to configure it end-to-end — with a clear, repeatable, tutorial-style walkthrough.

---

What Is Single Sign-On (SSO)?

Single Sign-On (SSO) is an authentication method that lets a user log in once with one set of credentials and gain access to multiple independent applications without logging in again to each one.

Instead of maintaining a separate username and password inside Odoo, your users authenticate against a central Identity Provider (IdP) — such as Google Workspace, Microsoft Entra ID (formerly Azure AD), Okta, or Keycloak. That provider verifies the user's identity and tells Odoo, "Yes, this person is who they claim to be — let them in."

The two technologies that make this possible in the Odoo ecosystem are:

• OAuth 2.0 / OpenID Connect (OIDC) — the modern, lightweight standard built into Odoo's native auth_oauth module. This is what powers "Log in with Google" and "Log in with Microsoft" buttons.
• SAML 2.0 (Security Assertion Markup Language) — an enterprise-grade XML-based standard commonly used with Okta, OneLogin, ADFS, and other corporate IdPs. In Odoo this is handled by the auth_saml module.

In simple terms: SSO moves the responsibility for proving who you are out of Odoo and into a dedicated, hardened identity platform that your organization already trusts.

---

Why Single Sign-On Is Useful for Your Odoo Deployment

Before touching a single configuration screen, it's worth understanding why SSO is one of the highest-value, lowest-effort upgrades you can make to an Odoo environment.

1. Stronger security with fewer weak points. Passwords are the single most exploited attack vector in business software. When you centralize authentication, you eliminate dozens of independently managed Odoo passwords and replace them with one identity that can be protected by multi-factor authentication (MFA), conditional access policies, and continuous monitoring at the IdP level.

2. Faster, frictionless access. A single click replaces the daily routine of typing (and forgetting) credentials. For teams that live inside Odoo all day — sales, accounting, inventory, manufacturing — that friction adds up to real productivity gains.

3. Centralized user lifecycle management. When an employee joins, their access flows from your directory. When they leave, disabling their central account instantly cuts off Odoo access too. This is enormous for offboarding security — no more orphaned Odoo logins lingering after someone departs.

4. Reduced IT and helpdesk burden. Password resets are among the most common helpdesk tickets in any organization. SSO removes Odoo from that equation almost entirely.

5. Compliance and auditability. Centralized authentication gives you a single, consistent audit trail of who logged in, when, and from where — a major advantage for organizations working toward ISO 27001, SOC 2, GDPR, or other regulatory frameworks.

6. A better experience for distributed teams. If your workforce already lives in Google Workspace or Microsoft 365, letting them reuse that identity for Odoo feels natural and removes one more silo from their day.

---

How SSO Works in Odoo: The Architecture

Understanding the flow makes troubleshooting dramatically easier later. Here's what happens behind the scenes during an OAuth/OIDC login:

1. A user clicks the "Log in with [Provider]" button on the Odoo login page.
2. Odoo redirects the browser to the Identity Provider's authorization endpoint.
3. The user authenticates with the IdP (and passes MFA if required).
4. The IdP redirects back to Odoo's callback URL — /auth_oauth/signin — carrying a token.
5. Odoo validates that token against the provider, retrieves the user's profile (primarily their email address), and matches it to an existing Odoo user.
6. If a match is found (or auto-provisioning is enabled), Odoo creates a session and the user is logged in.

The critical takeaway: Odoo identifies users primarily by email address. The email on the IdP account must match the email/login configured on the Odoo user record. This single fact explains the majority of SSO problems people run into.

---

Prerequisites Before You Begin

To configure SSO in Odoo successfully, make sure you have:

• Administrator access to your Odoo instance.
• HTTPS enabled on your Odoo domain. OAuth providers refuse to send tokens to insecure callback URLs in production. (Plain localhost is tolerated for local testing only.)
• Admin access to your Identity Provider (Google Cloud Console, the Microsoft Entra admin center, your Okta dashboard, etc.) so you can register Odoo as an application.
• Developer mode activated in Odoo, which exposes the full set of authentication settings. Activate it from Settings → scroll to the bottom → Activate the developer mode.
• Your exact Odoo base URL, including the protocol — for example, https://erp.yourcompany.com. This must match what you register with the provider character-for-character.

---

Part 1: Configuring OAuth / OpenID Connect SSO in Odoo

This is the most common SSO method and uses Odoo's built-in auth_oauth module — available in both Community and Enterprise editions.

Step 1: Enable OAuth Authentication

1. Go to Settings → General Settings.
2. Scroll to the Permissions (or Authentication) section.
3. Tick the option to enable OAuth Authentication. If you don't see it, install the OAuth authentication (auth_oauth) module manually from the Apps menu — remove the default "Apps" filter to find it.
4. Save.

This activates the OAuth Providers configuration area and adds provider buttons to your login screen.

Step 2: Open the OAuth Providers List

With developer mode on, navigate to:

Settings → Users & Companies → OAuth Providers

You'll typically find one or more pre-seeded providers (Google is included out of the box in many versions). You can edit an existing one or create a new provider from scratch.

Step 3: Understand the Provider Fields

Every OAuth provider record in Odoo uses the same handful of fields. Knowing what each does lets you connect any OIDC-compliant provider, not just the pre-built ones:

Field	What it means
Provider name	The label shown on the login button (e.g., "Sign in with Microsoft").
Allowed	A toggle that switches the provider on or off.
Client ID	The unique application identifier you receive from the IdP when you register Odoo.
Authentication URL	The provider's authorization endpoint where users are sent to log in.
Scope	What information Odoo requests — almost always openid email profile (or email at minimum).
UserInfo URL / Validation URL	The endpoint Odoo calls to validate the token and fetch the user's profile.
Body / Data endpoint	Used in some configurations to retrieve user details after token validation.
CSS class / Body	Optional styling and button text for the login page.

Step 4: Register Odoo With Your Identity Provider

This step happens in your provider's console, not in Odoo. The universal requirement is to register a redirect URI (also called the callback or authorized redirect URL):

https://your-odoo-domain.com/auth_oauth/signin

Replace your-odoo-domain.com with your real domain. This URI must be entered exactly in the provider — a trailing slash, an http vs https mismatch, or a wrong subdomain will all cause the login to fail. Once registered, the provider issues you a Client ID (and sometimes a client secret) to paste back into Odoo.

Step 5: Save, Activate, and Test

1. Paste the Client ID into the Odoo provider record.
2. Confirm the Authentication URL, Scope, and Validation URL match your provider's published OIDC endpoints.
3. Set Allowed to enabled and save.
4. Log out, return to the login page, and you should now see your "Log in with [Provider]" button.

---

Part 2: Provider-Specific Setup Examples

The field structure is identical across providers — only the endpoint URLs change. Here are reference values for the two most common providers. Always confirm current endpoints against the provider's official documentation, as these can evolve.

Configuring Google SSO in Odoo

In the Google Cloud Console:

1. Create (or select) a project.
2. Configure the OAuth consent screen.
3. Create an OAuth 2.0 Client ID of type Web application.
4. Add your authorized redirect URI: https://your-odoo-domain.com/auth_oauth/signin
5. Copy the generated Client ID.

In Odoo's Google provider record:

• Authentication URL: https://accounts.google.com/o/oauth2/auth
• Scope: https://www.googleapis.com/auth/userinfo.email (or openid email profile)
• Validation URL: https://www.googleapis.com/oauth2/v3/tokeninfo
• Client ID: (paste from Google)

Configuring Microsoft Entra ID (Azure AD) SSO in Odoo

In the Microsoft Entra admin center:

1. Go to App registrations → New registration.
2. Set the redirect URI (platform: Web) to https://your-odoo-domain.com/auth_oauth/signin.
3. Copy the Application (client) ID.

In a new Odoo OAuth provider record:

• Authentication URL: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
• Scope: openid email profile
• Validation URL: Microsoft's OIDC userinfo/token endpoint (https://graph.microsoft.com/oidc/userinfo or the v2.0 token endpoint, depending on flow).
• Client ID: (paste the Application ID)

Swap {tenant-id} for your directory's tenant identifier (or use common for multi-tenant scenarios).

---

Part 3: Configuring SAML-Based SSO in Odoo (For Enterprise IdPs)

If your organization standardizes on SAML 2.0 — common with Okta, OneLogin, ADFS, or PingFederate — you'll use the auth_saml module instead of OAuth.

Step 1: Install the SAML Dependencies

The SAML module relies on Python libraries that must be present on the server (commonly python3-saml and its underlying XML security dependencies). On a self-hosted instance you install these at the operating-system or virtual-environment level before the module will load. On managed platforms, confirm support with your hosting provider.

Step 2: Install the auth_saml Module

Find and install SAML2 Authentication (auth_saml) from the Apps menu. In Community editions you may need to source it from the OCA (Odoo Community Association) repositories, since it isn't always bundled by default.

Step 3: Configure the SAML Provider

With developer mode on, go to Settings → Users & Companies → SAML Providers and create a record. You'll provide:

• Identity Provider Metadata — an XML document (or URL) exported from your IdP describing its endpoints and signing certificates.
• Odoo Service Provider metadata — Odoo generates this; you upload it back to your IdP so the two trust each other.
• Attribute mapping — which SAML attribute carries the user's email, so Odoo can match the login.

Step 4: Establish Mutual Trust

SAML is a two-way handshake: the IdP must know about Odoo (the Service Provider), and Odoo must know about the IdP. Exchange metadata in both directions, ensure the signing certificates are correctly installed, and verify that server clocks are synchronized — SAML assertions are time-sensitive and clock skew is a frequent cause of failures.

---

Part 4: Managing Users and Provisioning

A working SSO button is only half the story. You also need to control who can actually get in.

Matching existing users. By default, SSO logs in users whose IdP email matches an existing Odoo user's login. If no matching user exists, the login is rejected. This is the safest default — only people you've already provisioned in Odoo can authenticate.

Auto-provisioning (just-in-time creation). If you want Odoo to automatically create a user the first time someone authenticates through SSO, you control this via the signup / external sign-up settings under Settings → General Settings. Enable this only when you genuinely want every authenticated IdP user to receive an Odoo account, and pair it with sensible default access rights.

Access rights still apply. SSO handles authentication (proving identity), not authorization (what someone can do). Once a user logs in, their Odoo groups, record rules, and access rights govern everything they can see and edit. Always review the default permissions assigned to SSO-provisioned users.

Mixing SSO and local passwords. Odoo can run SSO and traditional password logins side by side. For tighter security, many organizations choose to disable local password authentication for SSO users entirely, forcing everyone through the central IdP.

---

Troubleshooting Common Odoo SSO Problems

When SSO doesn't work, the cause is almost always one of a small set of issues:

"Redirect URI mismatch" error. This is the number-one problem. The callback URL registered with your provider must match https://your-domain/auth_oauth/signin exactly — check the protocol, subdomain, and any trailing slashes.

"Access Denied" or "Could not find a matching user." The email returned by the IdP doesn't match any Odoo user's login. Confirm the user exists in Odoo and that the email addresses are identical, or enable auto-provisioning if appropriate.

The login button doesn't appear. OAuth authentication isn't enabled, the provider's Allowed flag is off, or the auth_oauth module isn't installed.

Token validation fails. The Validation URL or Scope is incorrect for that provider. Re-check them against the provider's current OIDC documentation.

Works on localhost but fails in production. You're almost certainly missing HTTPS. Providers require secure callback URLs for live environments.

Multi-database confusion. On servers hosting multiple Odoo databases, the OAuth flow can lose track of which database to log into. Pin a default database or restrict the instance to a single database to resolve this.

SAML assertion errors. Usually caused by clock skew between servers or a mismatched/expired signing certificate. Sync time via NTP and verify certificates on both sides.

---

Security Best Practices for Odoo SSO

To get the full security benefit of SSO rather than just the convenience:

• Enforce MFA at the Identity Provider. SSO's biggest security win is centralizing where MFA is applied — turn it on at the IdP.
• Always use HTTPS across your entire Odoo deployment, not just the login page.
• Apply least-privilege access. SSO authenticates the person; your Odoo access rights must still restrict what they can do.
• Disable local passwords for SSO users where possible, so the IdP is the single source of truth.
• Tie offboarding to your directory. Disabling someone's central account should immediately revoke their Odoo access — verify this works in practice.
• Audit provider configurations periodically. Rotate secrets, remove unused providers, and review redirect URIs.
• Test in staging first. Always validate SSO changes on a non-production database before rolling them out to live users.

---

Frequently Asked Questions About SSO in Odoo

Does Odoo support Single Sign-On out of the box?

Yes. Odoo includes the auth_oauth module for OAuth 2.0 / OpenID Connect SSO in both Community and Enterprise editions. SAML-based SSO requires the additional auth_saml module.

Can I use Google or Microsoft 365 to log in to Odoo?

Absolutely. Both are standard OAuth/OIDC providers. You register Odoo as an application in Google Cloud Console or the Microsoft Entra admin center, then create a matching OAuth provider record in Odoo.

What's the difference between OAuth and SAML in Odoo?

OAuth/OIDC is the modern, lightweight standard that powers most social and cloud logins and is built into Odoo. SAML is an older, XML-based enterprise standard often required by corporate IdPs like Okta or ADFS, and needs the separate auth_saml module.

Will SSO work on Odoo.sh and Odoo Online?

OAuth-based SSO works across Odoo.sh, on-premise, and Odoo Online deployments. SAML, because it requires server-level library installation, is most straightforward on Odoo.sh or self-hosted environments — confirm support for your specific hosting model.

Does SSO replace Odoo's access rights?

No. SSO only handles authentication (verifying identity). User groups, record rules, and access rights inside Odoo still control what each person can view and do.

Is SSO available in Odoo Community, or only Enterprise?

OAuth SSO is available in both Community and Enterprise. This is one of the most valuable features that is not locked behind the Enterprise edition.

---

Conclusion

Single Sign-On transforms Odoo from yet another password to remember into a seamless extension of the identity your team already uses every day. The technical setup — enabling auth_oauth, registering a redirect URI, and pasting in a Client ID — takes minutes once you understand the flow. The harder, more valuable work is the thinking around it: enforcing MFA at your IdP, managing provisioning deliberately, and tying access to your directory so onboarding and offboarding stay clean.

Configure it once, test it in staging, and roll it out with confidence. Your users get one-click access, your IT team sheds a mountain of password resets, and your organization gains a centralized, auditable foundation for secure authentication — exactly the kind of quiet, high-leverage win that good ERP architecture is built on.