How to Set Up SSO in GoHighLevel — Secure Agency Access

Managing team access across your agency just got simpler. When your team members log into GoHighLevel separately, you're juggling multiple passwords, resetting forgotten credentials, and dealing with security gaps. Single Sign-On (SSO) eliminates all of that—letting your entire team access GoHighLevel using their existing organizational credentials with enterprise-grade security.

In this guide, I'll walk you through the complete SSO setup process using OIDC authentication, explain why it matters for agency operations, and show you how to test everything before rolling it out to your team. If you're running a multi-user agency, this is one of the most valuable security investments you can make.

Not yet running GoHighLevel? Start your free 30-day trial here—you'll get double the standard trial period to test SSO and explore all platform features.

What Is Single Sign-On (SSO) and Why It Matters for Agencies

Single Sign-On is an authentication system that allows your team members to access multiple applications—including GoHighLevel—using a single set of credentials managed by your organization's identity provider (IdP).

Instead of logging into GoHighLevel with a separate username and password, your team uses their corporate email and password from your existing identity management system. GoHighLevel uses the OpenID Connect (OIDC) protocol to communicate securely with your IdP and verify user identity.

For agencies running multiple team members, clients, or sub-accounts, SSO is a game-changer. It centralizes access control, reduces password fatigue, and ensures consistent security policies across your entire organization. If someone leaves your team or changes roles, you manage their access from one central location—not by manually deactivating accounts in GoHighLevel.

Key Benefits of SSO in GoHighLevel

Faster, Frictionless Login: Your team logs in once to their computer or mobile device. When they access GoHighLevel, they're automatically authenticated—no password re-entry required. This reduces login friction and improves user adoption.

Enhanced Security: Centralized credential management means stronger password policies, multi-factor authentication (MFA) enforcement, and audit trails. You're not relying on team members to create strong passwords individually. Your IdP handles security compliance.

Simplified User Management: Add or remove team members from one central dashboard. When someone leaves, disable their IdP account and they lose access to GoHighLevel immediately—no manual account deactivation needed.

Professional User Experience: Your team experiences seamless, enterprise-grade access. It signals that your agency invests in professional tools and security infrastructure, which builds client confidence.

Compliance and Auditability: SSO creates detailed logs of who accessed GoHighLevel and when. This is critical for agencies handling client data or operating under compliance requirements (SOC 2, HIPAA, etc.).

SSO Eligibility Requirements and Current Limitations

Who Can Use SSO in GoHighLevel:

• Agencies on the Enterprise plan (or higher tier)
• Organizations with an existing OIDC-compatible identity provider like Okta, Microsoft Entra ID (Azure AD), Auth0, or similar
• Teams with technical resources to configure IdP settings (or support from your IdP provider)

Current Limitations:

• GoHighLevel currently supports OIDC only (not SAML 2.0, though some third-party guides reference legacy SAML configurations)
• SSO applies to agency users and sub-account managers but configuration varies for client access
• You must have an identity provider—GoHighLevel doesn't host an IdP for you
• Initial setup requires technical configuration on both GoHighLevel and your IdP side

This is built into GoHighLevel. Try it free for 30 days →

Step-by-Step SSO Setup in GoHighLevel

Step 1: Access SSO Settings in GoHighLevel

1. Log into your GoHighLevel agency account with admin credentials
2. Navigate to Settings → Agency Settings → Security (or SSO depending on your dashboard layout)
3. Look for the "Single Sign-On" or "OIDC Configuration" section
4. You'll see fields for Client ID, Client Secret, and Discovery URL

Step 2: Generate OIDC Credentials from Your Identity Provider

Log into your identity provider (Okta, Azure AD, Auth0, etc.) and create a new OIDC application:

1. Create a new application or integration
2. Select "OpenID Connect (OIDC)" as the application type
3. Set the Redirect URI to the URL GoHighLevel provides (usually something like https://api.gohighlevel.com/oauth/callback)
4. Copy your Client ID and Client Secret (store these securely—don't share them)
5. Note your Discovery URL or Authorization endpoint

Step 3: Enter OIDC Credentials into GoHighLevel

1. Return to GoHighLevel SSO settings
2. Paste your Client ID and Client Secret into the corresponding fields
3. Enter your IdP's Discovery URL (this tells GoHighLevel where to authenticate users)
4. Save and enable SSO

Step 4: Configure User Attributes (Mapping)

Tell GoHighLevel which IdP attributes correspond to user fields:

• Email: Usually email or mail
• First Name: Usually given_name
• Last Name: Usually family_name

Most IdPs follow standard OIDC naming conventions, so these mappings are usually automatic.

Step 5: Set SSO as the Primary Login Method (Optional)

You can require all users to log in via SSO, or make it optional alongside traditional logins. For maximum security in enterprise settings, enforce SSO-only logins.

Testing and Troubleshooting Your SSO Configuration

Test SSO Before Rolling Out to Your Team

1. Log out of GoHighLevel completely
2. Return to the login page and look for an "Sign in with SSO" or "Sign in with [Your IdP]" button
3. Click it and enter your organization's credentials
4. You should be redirected into GoHighLevel automatically
5. If successful, you're logged in with SSO active

Common SSO Errors and Fixes

"Invalid Client ID" Error: Your Client ID or Client Secret is incorrect. Double-check you copied them exactly from your IdP without extra spaces.

"Redirect URI Mismatch" Error: The Redirect URI in GoHighLevel doesn't match the one configured in your IdP. Verify both URLs are identical, including trailing slashes.

"User Not Found" Error: The email attribute from your IdP doesn't match an existing GoHighLevel user. Make sure the user exists in GoHighLevel with the same email address they use in your IdP.

"Connection Timeout" Error: Your Discovery URL is incorrect or unreachable. Test it by pasting the URL into your browser—it should return a JSON configuration file.

SSO Login Loop (Redirect Back to Login Page): Usually a scope or claim mismatch. Ensure your IdP is returning OpenID Connect scopes (openid, profile, email).

Adding Your SSO Link to GoHighLevel

Once SSO is working, you can add a direct SSO login link to your agent portal or custom menu in GoHighLevel for easy access:

1. Go to Settings → Agent Portal Settings (or relevant portal you're configuring)
2. Look for "SSO Login Link" or "Authentication Settings"
3. Copy the SSO URL provided by GoHighLevel
4. Navigate to Settings → Agency Settings → Custom Menu Links
5. Add a new link with the label "Secure Login" or "SSO Login" and paste the URL
6. Save and test the link—clicking it should initiate the SSO flow

This gives your team a branded, one-click login experience.