Single Sign-On (SSO) for Enterprise organizations

Who this is for

Single Sign-On is part of the Enterprise tier. It's built for organizations whose security or IT team requires every business application to sign in through the company's identity provider — typically Microsoft Entra ID (formerly Azure AD), Google Workspace, Okta, or a SAML-based provider.

If your team signs into Overture from personal Gmail or Outlook accounts on personal laptops, you don't need SSO. The standard email-and-password sign-in is the right fit. Skip this article and see How to sign in and sign out instead.

What SSO does for your team

• One login, every app. Your team uses the same corporate credentials they already use for email and document storage — no separate Overture password to remember or rotate.
• Centralized access control. When IT disables an employee's corporate account, that person loses Overture access automatically. No orphaned accounts.
• Your security policies apply. MFA, conditional access, IP restrictions, session timeouts — whatever your identity provider enforces, Overture inherits.
• Audit trail in one place. Sign-in events show up in your corporate identity provider's logs alongside every other app.

Supported identity providers

Overture supports any identity provider that speaks one of these two industry-standard protocols:

• SAML 2.0 — the standard most enterprise IdPs support natively.
• OpenID Connect (OIDC) — the modern OAuth-based standard.

In practice that covers the providers you're most likely using:

• Microsoft Entra ID (Azure AD)
• Google Workspace
• Okta
• OneLogin
• JumpCloud
• Ping Identity
• Duo SSO
• Any other SAML 2.0 or OIDC-compliant IdP

How to request SSO for your organization

SSO is enabled per Overture organization. To get set up, email [email protected] with the subject line "SSO setup request" and include the information below.

What we'll need from you

1. Your Overture organization name — the name shown in your dashboard header so we connect the right account.
2. Your identity provider — "Microsoft Entra ID," "Okta," "Google Workspace," etc. If you're not sure, your IT team will know.
3. Protocol preference — SAML 2.0 or OIDC. If your IT team doesn't have a preference, we'll recommend OIDC for newer providers and SAML for established ones.
4. The corporate email domain(s) users will sign in with — e.g. acme.com, acme.co.uk. We'll route anyone signing in with one of those domains through your SSO.
5. A technical contact — name and email of the IT administrator we'll exchange configuration details with. This person needs access to your identity provider's admin console.
6. SSO-only or hybrid — do you want every user on your domain forced through SSO (most common), or do you also want to allow standard email-password sign-in as a fallback for contractors and external collaborators?
7. Just-in-Time provisioning — should new users be auto-created in Overture the first time they sign in through SSO, or do you want to require an Overture invite first? Auto-creation is fastest for large teams; invite-first gives you tighter control.
8. Default role for new SSO users — Viewer is the safest default. You can promote individuals to Crew or Producer afterwards. See Producer vs Crew vs Viewer.

What happens next

1. Within one business day — we reply to confirm we received your request and schedule a 30-minute setup call with your technical contact.
2. During the call — we walk your IT admin through registering Overture as an application in your identity provider, exchange the configuration values (entity IDs, metadata URLs, certificates), and pick a sign-in URL pattern for your organization.
3. Test sign-in — we set you up on a staging configuration so your IT admin can test the flow before any of your actual users see it.
4. Go live — once you approve, we flip your organization over to SSO. Existing users keep their accounts and history; their next sign-in routes through your identity provider.

Typical timeline

From the time you email us until your users are signing in through SSO is usually 5 to 10 business days, mostly dependent on how quickly your IT team can register the Overture application in your identity provider and how many rounds of testing you want to do before flipping the switch.

Cost

SSO is included in the Enterprise tier. If your organization is currently on Basic or Pro, your sales contact will discuss the Enterprise upgrade as part of the setup conversation. See the pricing page for tier details, or email [email protected] for a custom quote.

Common questions

Do you support SCIM provisioning?

Not yet as a self-serve setup, but if your team needs automated user provisioning and de-provisioning via SCIM 2.0, mention it in your setup request. We've implemented it for individual Enterprise customers when required.

What about Multi-Factor Authentication?

MFA is enforced by your identity provider, not by Overture. Whatever MFA policy your IT team applies to other corporate apps (TOTP, push notification, hardware key, etc.) applies to Overture sign-in automatically.

Can we keep some users on email-password sign-in?

Yes — tell us in the request and we'll configure hybrid mode. This is common for organizations that need to share Overture with external producers, contractors, or freelance crew who aren't in their corporate directory.

What if we switch identity providers later?

Email [email protected] ahead of the switch. We can re-configure your organization to point at the new IdP without losing any user accounts or event history.

What if my organization is just one or two people?

Stick with standard email-password sign-in. SSO has a setup cost for both your IT team and ours that only pays off at organizations large enough to have a corporate identity provider. Use a strong password and a password manager — that's the right security posture for small teams.

Ready to start?

Email [email protected] with the subject "SSO setup request" and the eight items above. We'll reply within one business day.