Important: This feature is available only to Enterprise Plan users.
SSO is available exclusively on our Enterprise plan.
If you are currently on a different plan and are interested in enabling SSO, please reach out to your Customer Success Manager or contact our team at cs@shiftcare.com to discuss upgrading to Enterprise.
Single Sign-On (SSO) allows your team to log into ShiftCare using your organisation’s existing work login, such as Microsoft 365 or Google Workspace.
Instead of remembering a separate ShiftCare password, staff sign in once through your company’s login system and access ShiftCare securely.
This guide includes:
What Is SSO?
Single Sign-On means your staff use their normal work credentials to access ShiftCare.
For example, if your team logs into Microsoft 365 or another company portal each day, they can use those same credentials to access ShiftCare. No separate ShiftCare password is required.
Is SSO right for your organisation?
SSO is designed for organisations that use a centralised IT system to manage employee access. This system is often called an Identity Provider (IdP).
Common Identity Providers include:
Microsoft Entra ID (formerly Azure Active Directory)
Okta
OneLogin
Google Workspace via SAML
You can likely use SSO if:
Your staff use company email addresses, such as name@yourcompany.com
Your organisation has an IT team or IT provider managing app access
You already use a central login system for other business applications
SSO is probably not suitable if:
Staff use personal email addresses such as gmail.com or outlook.com
You do not have centralised login management
There is no IT team managing user access
Why use SSO?
For your staff:
One less password to remember
Faster access to ShiftCare
Seamless login if already signed into your work system
For your organisation:
Improved security. When a staff member leaves, disabling their central account immediately removes their access to ShiftCare.
Reduced admin. No need to manage separate passwords in ShiftCare.
Centralised access control managed by your IT team.
How does SSO work?
A staff member goes to the ShiftCare login page and selects 'Sign in with SSO'.
They enter their work email address.
They are redirected to your organisation’s login page.
After signing in, they are automatically redirected back to ShiftCare.
Authentication is handled entirely by your organisation’s system.
What is required to set up SSO?
SSO setup is completed collaboratively between your IT team and ShiftCare.
Your IT team will need to:
Configure ShiftCare as an application in your Identity Provider.
Provide ShiftCare with:
Identity Provider Entity ID
Sign-On URL
Security Certificate
Confirm your organisation’s email domain.
ShiftCare support can guide your IT team through this process. For detailed technical setup instructions, see the section below.
⚠️Important: SSO uses a protocol called SAML 2.0. This is different from "Sign in with Google" or "Sign in with Microsoft" buttons you might see on consumer websites. Your Identity Provider needs to support SAML 2.0 (most enterprise providers do).
SSO Set-up for ShiftCare Customers
Here are the steps to follow:
Set up Your SAML 2.0 IDP App
You will need to create the SAML 2.0 IDP application on your selected provider. They will need the following information, which is accessible via Account > Settings.
Service Provider Single Sign On URL
This is the URL the SAML provider will call us back with after you finish the sign-in.
This usually follows the convention of
/users/auth/saml/callback, for example:
Audience/ Service Provider Issuer
Audience is an identifier (usually a URL) included in the SAML assertion by the Identity Provider (IdP). It tells the SP who the assertion is intended for. The SP will only accept the assertion if the Audience value matches its own identifier.
We use the app URL for the Audience value, like
https://app.shiftcare.com
Set up ShiftCare with Your SAML 2.0 IDP
After you set up your SAML provider app, you will need to update the SSO SAML section in Account > Settings.
Identity Provider Single Sign-On URL
This is the endpoint URL provided by the Identity Provider (IdP) where the Service Provider (SP) sends authentication requests.
Identity Provider Issuer (aka IdP Entity ID)
The unique name or ID of the IdP that signs and issues the SAML assertions. The SP uses it to confirm the assertion came from a trusted source.
X.509 Certificate
a public key certificate used by the Identity Provider (IdP) to digitally sign SAML assertions and messages.
Note: Uploading a new certificate will replace the existing one.
Email Domain
The email domain the customer will use in their SAML 2.0 app
Frequently Asked Questions
Can staff still use their regular ShiftCare password?
Yes. By default, SSO is an additional login option. If your organisation prefers to enforce SSO-only login and disable password access, this can be enabled on request. Please speak with your Account Manager.
Does SSO work on the ShiftCare mobile app?
Yes. SSO is fully supported on mobile.
Can we use SSO with Gmail or Outlook.com email addresses?
No. SSO requires a company-owned email domain and cannot be used with public email providers such as Gmail, Outlook.com, or Yahoo.
What happens if our Identity Provider is unavailable?
Staff can log in using their regular ShiftCare username and password as a fallback.
Is there an additional cost for SSO?
Please contact your Account Manager for pricing information.
Are users automatically created in ShiftCare through SSO?
No. SSO only controls how users log in. Staff must still be created manually in ShiftCare. Their email address in ShiftCare must match their email in your Identity Provider.
How long does setup take?
ShiftCare configuration is straightforward.
The overall timeline usually depends on how quickly your IT team can configure ShiftCare in your Identity Provider. For IT teams familiar with SAML applications, this is typically a routine task.
For further assistance with Single Sign-On (SSO) Setup with ShiftCare, please contact your Account Manager.