SSO and OIDC readiness

Forest is built to work with single sign-on through your existing identity provider.

Last updated June 1, 2026

Single sign-on lets your team reach Forest using the identity provider you already run. Instead of a separate Forest password, people authenticate through your central system, and access follows the rules you already enforce there.

When authentication lives in one place, your security controls follow people everywhere. Password policy, session length, conditional access, and offboarding all stay consistent. The moment someone leaves and you disable their account in your identity provider, their path into Forest closes with it. No orphaned logins, no forgotten cleanup.

OIDC, OpenID Connect, is the standard that makes this work. It lets Forest trust an identity assertion from your provider rather than managing credentials on its own.

What readiness means

Your provider handles the login and confirms who the user is.
Forest receives a verified identity and grants access based on the assigned role.
Your own factor requirements, including MFA, apply at the point of sign-in.

Centralized sign-in is the cleanest way to keep Forest access in step with your joiner, mover, and leaver processes. The fewer separate credentials your team carries, the smaller your exposure.

Single sign-on decides how people authenticate. It pairs with Role-based access control, which decides what they can do once inside, and complements Multi-factor authentication when MFA is enforced at your provider.

PreviousMulti-factor authentication NextTenant isolation