Skip to Content
FeaturesSingle Sign-On (SSO)

Single Sign On (SSO)

CookieHub supports Single Sign On (SSO) using Google Workspace, Microsoft Entra ID (Azure AD), or any SAML 2.0 compatible identity provider such as Okta, Ping, ADFS, or OneLogin.

Once configured, users authenticate through your identity provider and access CookieHub without needing a separate CookieHub password.

SSO is available on Enterprise plans only. Enterprise plans are configured by the CookieHub team — contact us to discuss your requirements and enable SSO for your account.

How SSO works in CookieHub

  • SSO is configured per account. Each account has its own provider configuration and dedicated login URL.
  • Authentication is handled by your identity provider. Add or remove users in your IdP to control access to CookieHub.
  • User provisioning is automatic. When an authorized user signs in through SSO for the first time, CookieHub creates the user and adds them to the account as a standard user.
  • Account owners retain password and magic link access as a recovery option if the identity provider becomes unavailable. Standard users must use SSO.

Enable SSO

  1. Open Account settings → Single Sign On
  2. Select your provider:
    • Google
    • Microsoft
    • SAML 2.0
  3. Enter the required provider credentials
  4. Click Save changes

CookieHub validates the configuration before saving. If configuration values are missing or invalid, an error message is displayed.

Once enabled, the SSO Setup Guide displays:

  • Provider setup details
  • Required redirect URLs
  • Metadata URLs
  • Your dedicated SSO login URL

Provider setup

Configure Google Workspace SSO (OIDC)

  1. Open Google Cloud Console and create an OAuth 2.0 client using the Web application type

  2. Add the CookieHub redirect URI:

    https://dash.cookiehub.com/sso/callback/google

  3. Copy the following values into CookieHub:

    • Client ID
    • Client secret

  4. Optional: Set a Google Workspace domain restriction such as example.com

Using a Workspace domain restriction ensures only users from the specified domain can sign in.

Configure Microsoft Entra ID (Azure AD) SSO

  1. Open Azure Portal → Entra ID → App registrations

  2. Create a new application

  3. Under Authentication, add this redirect URI using the Web platform type:

    https://dash.cookiehub.com/sso/callback/microsoft

  4. Create a client secret under Certificates & secrets

  5. Copy these values into CookieHub:

    • Application (client) ID
    • Client secret value
    • Directory (tenant) ID

The Tenant ID must reference a specific tenant. Generic values such as common, organizations, or consumers are not supported because they would allow any Microsoft account to authenticate.

Configure SAML 2.0 SSO (Okta, Ping, ADFS, OneLogin)

Supported providers include Okta, Ping, ADFS, OneLogin, and other SAML 2.0 compatible identity providers.

  1. In CookieHub, select SAML 2.0
  2. The Setup Guide displays:
    • SP Metadata URL
    • ACS URL
    • Entity ID
  3. Create a new SAML application in your identity provider using these values
  4. Configure your provider to send the user email as the NameID or as a standard email attribute
  5. Copy the following values back into CookieHub:
    • IdP Entity ID
    • IdP SSO URL
    • X.509 Certificate

The certificate must be PEM formatted.

SSO login URL

Each SSO enabled account receives a unique login URL:

https://dash.cookiehub.com/login/sso/ch_<account-key>

This URL is available in the SSO Setup Guide and can be shared internally through:

  • IT onboarding documentation
  • Internal portals
  • Identity provider dashboards
  • Direct communication with users

Opening the URL starts the SSO flow for that specific CookieHub account.

User sign in flow

First time sign in

  1. The user opens the SSO login URL
  2. The user authenticates with the identity provider
  3. CookieHub creates the user account automatically
  4. The user is redirected to the CookieHub dashboard

No manual invitation or pre-creation is required.

Returning users

  1. The user opens the SSO login URL
  2. Authentication occurs automatically when an active IdP session already exists.
  3. The user is redirected to the dashboard

Account owners

Account owners can sign in using:

  • SSO
  • Password
  • Magic link

Password and magic link access exists as a recovery option if the identity provider becomes unavailable or misconfigured.

Access model

RoleSSO LoginPassword / Magic Link
Standard userYesNo
Account ownerYesYes

SSO authentication is scoped to a single CookieHub account session. Users with access to multiple SSO-enabled accounts may need to sign out before switching accounts.

Removing user access

Removing a user from the identity provider prevents future sign ins.

To fully remove access from CookieHub and revoke active sessions, remove the user from:

Account settings → Users

Security considerations

Identity provider controlled access

Your identity provider controls who can access CookieHub. Any user successfully authenticated by the provider receives standard user access to the account.

Microsoft tenant restrictions

Microsoft multi tenant endpoints such as common, organizations, and consumers are not allowed.

Google Workspace restrictions

Workspace domain restrictions ensure only users from the specified domain can sign in.

SAML signature validation

SAML assertions must be signed using the configured certificate.

Owner recovery access

Account owners always retain password access. Limit owner permissions if you want all authentication to go through SSO.

Troubleshooting

Error: “The authenticated email does not match”

The email returned by the identity provider does not match the expected email address. This commonly occurs when the browser is signed into the wrong Google or Microsoft account.

Error: “This account requires SSO”

A standard user attempted to sign in using password or magic link authentication. Standard users must use the SSO login URL.

Error: “Log out before using SSO”

The current CookieHub session belongs to another account. Sign out and try again.

Microsoft tenant errors

Verify that the Tenant ID references a specific tenant GUID or verified domain.

SAML validation errors

Verify that:

  • ACS URLs match
  • Entity IDs match
  • Certificates are correct
  • Metadata was imported correctly

Need help?

Contact CookieHub support and include:

  • Your account name
  • Your SSO provider
  • Any relevant error messages
Last updated on
Data subject access requestsGoogle Tag Manager