Third-Party Authentication

Configure Orbit to authenticate members through your organization's existing identity provider using OAuth2. This lets members sign in with their corporate credentials via Auth0, Okta, Azure AD, or any standards-compliant OAuth2/OIDC provider.

Orbit also supports one-click Google Login — see Integrations for setup details.

How It Works

Orbit uses the OAuth2 Authorization Code flow with PKCE (Proof Key for Code Exchange) — the most secure standard for browser-based authentication.

  1. User clicks the SSO login button on your Orbit portal
  2. User is redirected to your identity provider's authorization page
  3. User authenticates (enters credentials, completes MFA, etc.)
  4. Identity provider redirects back to Orbit with an authorization code
  5. Orbit exchanges the code for an access token (server-side, with PKCE verification)
  6. Orbit retrieves user info (email, name) from the identity provider's userinfo endpoint
  7. User is logged in — Orbit creates their account on first login or matches to an existing account by email

Supported Providers

Any OAuth2-compliant identity provider works, including:

  • Auth0 — identity platform with social, enterprise, and passwordless connections
  • Okta — enterprise identity and access management
  • Azure Active Directory — Microsoft's cloud identity service
  • Google Workspace — organization-managed Google accounts
  • OneLogin, Ping Identity, Keycloak — and any other OAuth2/OIDC provider
  • Custom OAuth2 servers — any server implementing the OAuth2 authorization code flow

Configuration

OAuth2 is configured per-tenant from the admin portal under Settings. You'll need these values from your identity provider:

Setting Description Example
Provider Name Display name shown on the login button "Company SSO", "Okta"
Client ID OAuth2 client/application ID abc123def456
Client Secret OAuth2 client secret secret_xyz...
Authorization URL Provider's authorization endpoint https://your-idp.com/authorize
Token URL Provider's token exchange endpoint https://your-idp.com/oauth/token
Userinfo URL Endpoint that returns user profile data https://your-idp.com/userinfo
Scopes Space-separated OAuth2 scopes to request openid email profile

Registering Orbit with Your Provider

To connect Orbit, register it as a client/application on your identity provider. Configure these settings on the provider side:

Redirect URI (Callback URL): 

https://your-portal.orbitams.com/accounts/oauth2/callback/

Grant Type: Authorization Code

Required Scopes: openid, email, profile (at minimum)

PKCE: Orbit uses PKCE by default. Enable it in your provider if it's optional.

Provider-Specific Guides

Auth0
  1. Create a new "Regular Web Application" in the Auth0 dashboard
  2. Set the Allowed Callback URL to your Orbit redirect URI
  3. Copy the Domain, Client ID, and Client Secret
  4. Authorization URL: https://YOUR_DOMAIN.auth0.com/authorize
  5. Token URL: https://YOUR_DOMAIN.auth0.com/oauth/token
  6. Userinfo URL: https://YOUR_DOMAIN.auth0.com/userinfo
Okta
  1. Create a new "Web Application" in the Okta admin console
  2. Set the Sign-in redirect URI to your Orbit redirect URI
  3. Copy the Client ID and Client Secret
  4. Authorization URL: https://YOUR_DOMAIN.okta.com/oauth2/default/v1/authorize
  5. Token URL: https://YOUR_DOMAIN.okta.com/oauth2/default/v1/token
  6. Userinfo URL: https://YOUR_DOMAIN.okta.com/oauth2/default/v1/userinfo
Azure AD
  1. Register a new application in the Azure portal (Azure Active Directory > App registrations)
  2. Set the redirect URI (Web platform) to your Orbit redirect URI
  3. Create a client secret under Certificates & secrets
  4. Authorization URL: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/authorize
  5. Token URL: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
  6. Userinfo URL: https://graph.microsoft.com/oidc/userinfo
  7. Scopes: openid email profile

Claim Mapping

Orbit reads user information from the identity provider's userinfo response. By default, it looks for standard OIDC claims:

Orbit Field Default Claim Custom Override
Email email Configurable
First Name given_name Configurable
Last Name family_name Configurable

If your identity provider uses non-standard claim names (e.g., user_email instead of email), you can configure the claim mapping in the admin settings.

Auto-Redirect

When enabled, the auto-redirect option skips the Orbit login page entirely and sends users directly to your identity provider. This is useful when all users authenticate through a single SSO provider.

Security

  • All OAuth2 flows use PKCE (Proof Key for Code Exchange) to prevent authorization code interception attacks
  • Token exchange happens server-side — client secrets are never exposed to the browser
  • Sessions are standard Django sessions with secure cookie flags
  • Accounts are matched by email address — if a user with that email already exists, they're linked rather than duplicated

See how Orbit can work for you

Get a personalized walkthrough and see how associations like yours are simplifying their operations.

Try Orbit Free

Get tips on running a better association — delivered to your inbox.

Stay as long as you’d like. Unsubscribe anytime.