Single Sign-On (SSO) lets your team sign in to Compound through your organization’s identity provider (IdP) instead of managing separate passwords. Once configured, team members with your verified email domain are automatically prompted to authenticate via SSO when they sign in.
Prerequisites
Before you begin, make sure you have the following:
- A Compound team — SSO is a team feature. If you don’t have a team yet, go to Settings > Subscription, click Create or Join Team, and choose a Team plan (Team Plus, Team Pro, or Team Pro Max). The person who creates the team becomes the Owner.
- Team Owner role — Only Team Owners can configure SSO. Admins and Members cannot access SSO settings.
- A custom email domain — Public email domains (e.g., gmail.com, outlook.com) cannot be used for SSO.
Verify your domain
Domain verification is required before you can enable SSO. This proves that your organization controls the email domain and prevents unauthorized teams from claiming it.
Set your team's email domain
In Settings > Team, enter your organization’s email domain (e.g., acme.com) in the Email Domain field. Click Save.
Start domain verification
In the team info section, click Verify next to your domain. Compound generates a unique verification token and displays DNS record instructions.
Add the DNS TXT record
Log in to your domain registrar or DNS provider and create a new TXT record with the following values:
- Type:
TXT - Host:
@(root domain) - Value:
compound-domain-verification=<your-token>
Copy the exact value shown in Compound — it includes your unique token.
DNS changes can take anywhere from a few minutes to 48 hours to propagate, depending on your DNS provider and TTL settings. Most providers propagate within 5-15 minutes.
Complete verification
Return to Settings > Team and click Check Verification. Compound performs a DNS lookup to confirm your TXT record is in place. Once verified, a green Verified badge appears next to your domain.
Each domain can only be verified by one team. If another team has already verified the same domain, you will need to contact support.
Supported protocols
Compound supports two standard SSO protocols.
OpenID Connect (OIDC) — Recommended
OIDC is the modern standard for SSO, built on OAuth 2.0 with JSON-based tokens. It is simpler to configure, has better security properties (shorter-lived tokens, no XML signature vulnerabilities), and is the default recommendation from all major identity providers including Okta, Microsoft Entra ID, and Google Workspace.
Choose OIDC unless your organization specifically requires SAML.
Configuration fields:
- Client ID
- Client Secret
- Issuer URL
SAML 2.0
SAML is a widely deployed SSO protocol that uses XML-based assertions. It remains fully supported for organizations with existing SAML infrastructure or compliance requirements that mandate it.
Configuration options:
- Upload your IdP’s metadata XML file (recommended — automatically extracts Entity ID, SSO URL, and certificate)
- Manually enter the IdP Entity ID, SSO URL, and X.509 signing certificate
Set up SSO with your identity provider
Once your domain is verified, follow the guide for your identity provider and protocol:
- Set Up Okta OIDC SSO — Step-by-step guide for configuring OpenID Connect with Okta (recommended)
- Set Up Okta SAML SSO — Step-by-step guide for configuring SAML 2.0 with Okta
For other identity providers (Azure AD, OneLogin, Google Workspace, etc.), the general flow is the same:
- Create a SAML or OIDC application in your IdP using temporary placeholder values for the callback/redirect URL.
- Enter the IdP credentials or metadata into Compound at Settings > Team > SSO Configuration.
- After saving, Compound displays the SP metadata your IdP needs — ACS URL and SP Entity ID for SAML, or Redirect URI for OIDC. Copy these values back into your IdP’s application settings.
Refer to your IdP’s documentation for the specifics of creating a custom SAML or OIDC application.
What happens after SSO is configured
Once SSO is active for your team:
- Automatic SSO detection — When a user enters an email address with your verified domain on the Compound sign-in page, Compound detects that SSO is required and prompts them to sign in through your identity provider.
- IdP-initiated authentication — The user authenticates with your IdP (e.g., Okta) using their existing corporate credentials and any MFA policies you have configured.
- Seamless access — After successful authentication, the user is signed in to Compound automatically.
While SSO is active, the team’s email domain and login restriction settings are locked. To change these settings, you must first remove the SSO configuration from Settings > Team > SSO Configuration.
Compound will not automatically assign members of your organization to your team. You should invite them from Settings > Team > Invitations.