Clinic SSO setup — Help centre

How to configure clinic sign-in with generic OIDC, including practical starting points for Microsoft Entra ID and Google Workspace.

What matters most

• Works best when each clinic has a clear staff email domain and an existing identity provider tenant.

• The first version supports existing staff logins, optional just-in-time staff creation, and optional password-login disablement.

• Keep MFA enabled even when SSO is live if the clinic wants a stronger second factor inside Arctic Parade too.

What you need before you start

• A clinic subdomain already exists and the clinic can reach the platform login page.

• You have the OIDC issuer URL, client ID, and client secret from the clinic identity provider.

• You know whether staff should already exist in Arctic Parade or whether just-in-time staff creation should be allowed.

• If possible, decide on a single clinic email domain before enabling just-in-time creation.

• Enable clinic SSO in Website Settings under Security controls.

• Set the OIDC issuer, client ID, and client secret from the identity provider.

• Set an optional allowed email domain if the clinic should only trust one domain for SSO sign-in.

• Use the SSO button label to present something clear like Sign in with Microsoft or Sign in with Google.

• Create a new app registration in the clinic's Microsoft Entra ID tenant.

• Use the platform callback URL in the form /sso/callback/<clinic-subdomain>/ on the platform domain.

• Add delegated OpenID scopes for openid, profile, and email.

• Use the Entra v2 issuer URL for the tenant and copy the application client ID and secret into Arctic Parade.

• If the clinic only uses one Microsoft-managed email domain, add that domain as the allowed email domain in Arctic Parade.

• Create an OAuth client in Google Cloud for the clinic's Google Workspace-backed organisation.

• Use the same platform callback URL pattern with the clinic subdomain.

• Enable OpenID Connect scopes for openid, profile, and email.

• Copy the Google issuer, client ID, and client secret into Arctic Parade.

• If the clinic uses one Workspace domain, add it as the allowed email domain before enabling just-in-time creation.

• Enable this only after you are comfortable that the provider and email-domain restriction are correct.

• New SSO users are created as active staff accounts for that clinic, ready for role review.

• The initial role should still be reviewed by a clinic admin before wider access is assumed.

• Do not disable password login until you have tested SSO with at least one clinic admin account.

• Keep at least one emergency recovery path documented in case the identity provider is misconfigured.

• If MFA is also enforced inside Arctic Parade, staff may still be prompted for MFA after successful SSO sign-in.

More help centre guides