Set up single sign-on (Google / Microsoft)

What you'll need

• A Google Cloud Console project OR a Microsoft Entra (Azure AD) tenant
• Admin access to create OAuth credentials
• A custom email domain (e.g., acme.com — not gmail.com)

Google setup

1. Open the StafFixHR app and go to Settings → Single sign-on

2. Copy the Redirect URI shown for Google

3. In Google Cloud Console:

- APIs & Services → Credentials → Create credentials → OAuth Client ID

- Application type: Web application

- Authorized redirect URIs: paste the URI from step 2

- Save → copy the Client ID + Client Secret

4. Back in StafFixHR: paste them, enter your domain (e.g., acme.com), tick Enable, click Save.

Microsoft setup

1. Same first step — copy the Microsoft Redirect URI from /admin/sso

2. In Microsoft Entra (entra.microsoft.com):

- App registrations → New registration → name it "StafFixHR"

- Web redirect URI: paste the URI

- Save the Application (Client) ID

- Certificates & secrets → New client secret → copy the Value (not the ID — this is the gotcha)

3. API permissions → add: openid, email, profile, User.Read (Microsoft Graph) → Grant admin consent

4. Back in StafFixHR: paste ID + Secret, enter your domain, tick Enable, click Save.

Require SSO

Toggle Require SSO for this domain to block password sign-in for users at that domain. Strongest IdP enforcement. Make sure all current users have signed in with SSO at least once before flipping this on, otherwise they'll be locked out.