SSO setup (Pro)

Single Sign-On lets your team log in with Google Workspace or Microsoft 365 instead of a Construction Scope password. Available on Pro plans. Worth the upgrade for teams of 8+ where password management becomes its own administrative burden — SSO eliminates password reset tickets and ensures access dies the moment someone leaves the parent workspace.

Provider support

Google Workspace and Microsoft 365 (Entra ID, formerly Azure AD). Other SAML 2.0 providers on request — email us; we've added Okta, Auth0, and OneLogin for specific customers and can usually turn around a new provider in 5-10 business days.

Set it up

Settings → Workspace → SSO. Pick provider, paste your domain, and follow the provider-specific instructions on the page. ~15 minutes the first time — most of it is in your identity provider's admin console (creating the application, configuring the assertion attributes). Construction Scope's side is two fields and a save.

For Google Workspace, the IdP-initiated SAML flow is simpler than the SP-initiated. The instructions walk through both; pick whichever matches your existing IdP setup.

After it's live

New invites go through SSO automatically. Existing users can log in with their workspace email; we match by email address. The first SSO login automatically links the existing Construction Scope account to the SSO identity — no separate provisioning step needed.

Provisioning and de-provisioning

When you add someone to your SSO directory, they're not automatically a Construction Scope user — you still invite them with the Construction Scope role you want. When you remove someone from your SSO directory, their Construction Scope account is automatically disabled within ~5 minutes. This is the main reason most teams adopt SSO: clean de-provisioning when employees leave.

When SSO breaks (and how to recover)

If your IdP misconfigures or your SAML cert expires, every SSO user is locked out. The workspace Owner can still log in via password recovery (we keep a password-fallback for the Owner role even when SSO is enabled). Once the Owner is in, they can disable SSO temporarily, fix the IdP, and re-enable. Plan accordingly — the Owner password should be in a password manager you can access without SSO.