Note: This feature is available exclusively on Enterprise plans and must be requested. If your organization requires a custom OpenID Connect (OIDC) identity provider for compliance purposes and cannot use Google or Microsoft for authentication, please contact us to have this feature enabled.
Important: Regardless of SSO configuration, users must still connect a Google or Microsoft calendar after signing in.
Prerequisites
Before beginning this integration, ensure you have:
A Fellow workspace administrator account
Access to your organization's Identity Provider (IdP) administration console
An active Enterprise plan with Custom OIDC enabled
Step 1: Enable the OIDC Integration in Fellow
Sign in to Fellow using a workspace administrator account.
Navigate to Workspace Settings and open the Account Integrations section.
Select the Single Sign-On card.
Choose OpenID as the provider type and click Next.
A configuration form will appear. Copy the Redirect URL displayed on the form and keep this page open, you will return to it in Step 3.
Step 2: Configure Your Identity Provider
In your IdP's administration console, create a new OpenID Connect application. The exact steps will vary depending on your provider. Use the following configuration values when prompted:
Parameter | Value |
Redirect URL | Copied from Step 1 |
Scopes Requested | openid, email, profile |
Response Type | code |
Response Mode | query |
Required Claims
Your IdP must return the following claims in the ID token:
sub — A unique identifier for the user, provided by the openid scope. Refer to the OpenID standard claims specification for details.
email — Used to match the authenticating user to a provisioned account in Fellow. If this claim is missing or does not correspond to a provisioned user, authentication will fail.
family_name, given_name, name — Used to populate the user's profile.
Optional Claims
picture — User profile photo
zoneinfo — User time zone
Step 3: Obtain Your IdP Credentials
Once your OIDC application has been created in your IdP, retrieve the following:
Discovery URL — The "well-known" OpenID configuration endpoint, typically in the format: https://mycompany.myIDP.com/.well-known/openid-configuration
Client ID
Client Secret
Keep these values available for the next step.
Step 4: Complete Configuration and Test the Integration
Return to the Fellow SSO configuration form from Step 1.
Enter the Discovery URL, Client ID, and Client Secret obtained from your IdP.
Optionally, enter a Custom Provider Name to customize the label on the SSO login button.
Click Save.
If the credentials are valid, a new window will open prompting you to authenticate via your IdP. Complete this login to verify the configuration.
Once the test is successful, sign out of Fellow and confirm that you can sign back in using the new SSO button on your organization's subdomain login page.
Step 5: Enforce Exclusive OIDC Authentication (Optional)
After verifying that SSO login works correctly with your administrator account, you may enforce OIDC as the sole authentication method:
Return to the SSO Configuration page in Workspace Settings.
Enable the Require authentication exclusively through Custom OIDC checkbox.
When this setting is active, only the OIDC login button will appear on the sign-in screen, and all users will be required to authenticate through the configured identity provider.
|
|