Lock down your domain
Single sign-on isn’t one switch — it’s three controls that work together to decide exactly who can reach your company’s inventory. Understanding how they fit makes it obvious why SSO keeps the right people in and everyone else out.
1. Domain verification — proving it’s yours
Before anything happens, you claim your email domain (say yourcompany.com) and prove you own it by
publishing a DNS TXT record we generate. Only someone who controls your domain’s DNS can do that — so
a verified domain is a strong, tamper-proof signal that this domain really belongs to your company. Nothing
downstream switches on until that check passes.
2. Require SSO — closing the side doors
With a verified domain, you can require SSO for everyone on it. Once that’s on, a person whose email is on your domain can no longer slip in with a separate password — the login is redirected to your identity provider every time. That closes the “but I made an account ages ago” side door and funnels every sign-in through the MFA and policies your IdP enforces.
3. Auto-provisioning — the right people, automatically
Turn on auto-provisioning and the first time someone from your verified domain signs in through SSO, they’re added to the company automatically — no manual invite needed. New hire joins the right group in your IdP, logs in, and they’re working. Leave it off and access stays invite-only, with SSO simply as the login method.
How they combine
- Verified domain + require SSO = only authenticated members of your domain get in, and only through your IdP.
- + Auto-provisioning = onboarding is hands-off, driven entirely by your identity provider’s groups.
- Remove someone in your IdP = the next sign-in fails, everywhere. Access doesn’t linger.
Each control is a checkbox in your company’s Single Sign-On (SSO) settings. The full setup — from adding a domain to flipping these toggles — is on the single sign-on feature page.