Single sign-on (Google / Microsoft)
Wire your Google Workspace or Microsoft 365 into Mojaedge HQ, the customer portal, and ERPNext Desk.
Three surfaces
**Mojaedge HQ** — for your ops team. Allowlisted domains only. **Customer portal** — let each tenant's customers log in with their own Workspace / 365 instead of phone OTP. **Tenant ERPNext Desk** — Frappe's built-in Social Login Key, configured per tenant.
Google Workspace setup (≈5 min)
1. Go to https://console.cloud.google.com → create / pick a project. 2. Enable **Google People API** + **Google+ API**. 3. **APIs & Services → OAuth consent screen** → External (or Internal if your workspace), fill the app info. 4. **APIs & Services → Credentials → Create Credentials → OAuth client ID** → type Web application. 5. Authorised redirect URIs — add ALL of: • https://hq.mojaedge.com/api/sso/google/callback • https://portal.<your-subdomain>.mojaedge.com/api/sso/google/callback • https://<your-subdomain>.mojaedge.com/api/method/frappe.integrations.oauth2_logins.login_via_google 6. Copy the **Client ID** + **Client Secret**. Send to support@mojaedge.com (or paste into HQ → Tenant detail → SSO).
Microsoft Entra (Azure AD) setup (≈5 min)
1. https://entra.microsoft.com → Identity → App registrations → New registration. 2. Account type: Single tenant (recommended) or multitenant. 3. Redirect URI (Web) — same three as Google but `/microsoft/` instead of `/google/`. 4. After creation, copy **Application (client) ID** + **Directory (tenant) ID**. 5. Certificates & secrets → New client secret → copy the *Value*. 6. API permissions → add `openid`, `email`, `profile`, `User.Read`, then **Grant admin consent**.
Where to paste credentials
**HQ-level (all ops sign in via your domain):** ask Mojaedge support to set `GOOGLE_OAUTH_CLIENT_ID/SECRET` + `GOOGLE_ALLOWED_DOMAINS` (and the MS_* equivalents) in the HQ container env. **Tenant-level (only your end customers and Desk users):** HQ → Tenant detail → SSO tab. Or hit `/api/tenants/<id>` with the metadata.sso block. **ERPNext Desk:** automatic once HQ pushes the config to bench-runner — Frappe will show Sign in with Google / Microsoft on the Desk login.
Domain allowlist
We enforce a strict email-domain allowlist on every successful OAuth callback. So even if someone hijacks your tenant's redirect URI, they can't log in with a non-Workspace email. Always set the allowlist — without it, SSO refuses.
Enforced SSO
If you want to disable phone-OTP login for the portal and require SSO only, set `tenants.metadata.sso.enforce = true`. The portal login screen hides the phone form.