Verify your domain for SSO

Last updated: April 29, 2026

Available on: Mac, Windows, iOS, Android. Domain registration and SSO configuration are handled in a web browser.

If you're trying to set up SSO and your organization uses a restricted email domain (.edu, .gov, or similar), registration may be blocked until your domain is added to your enterprise account. This guide explains how domain registration works and how to get your domain registered so you can finish SSO setup.

Important: SSO requires an enterprise account. SSO enforcement (requiring all users to sign in via SSO) requires an active enterprise subscription.

How domain registration works

Your organization's email domain must be registered to your enterprise account before SSO can be configured. When you create an enterprise account, the email domain of the account creator is automatically registered if it passes availability checks.

Most standard commercial domains (e.g., yourcompany.com) pass automatically. Domains that are sales-blocked, fail validation, or belong to restricted categories require manual registration by Wispr Flow support.

Once a domain is registered, it is automatically verified for SSO. There is no customer-facing DNS verification step — Wispr Flow support handles registration on our side.

After you configure your identity provider (IdP) in the admin portal, you'll complete a connection step to activate SSO. If the IdP configuration is incomplete, you'll see an error indicating the SSO connection is not active.

SSO works whether you start from the Wispr Flow sign-in screen (SP-initiated) or from your identity provider's dashboard, such as clicking the Wispr Flow tile in Okta (IdP-initiated).

Important: If your domain has SSO enforcement enabled, users who try to sign in with Google, Apple, Microsoft OAuth, or email/password will be blocked with an sso_required error. They must use the "Continue with SSO" option instead.

Sign-in options by platform

  • iOS: The SSO sign-in option is hidden by default. Tap "More options" on the sign-in screen to reveal three additional methods: Continue with Microsoft, Continue with SSO, and Continue with Email. You'll be asked to enter your email address before being redirected to your identity provider.

  • Android: All five sign-in options (including SSO) are visible by default. There is no "More options" toggle.

  • Mac and Windows: Sign-in is performed via a single "Sign in via browser" button. There is no in-app SSO selector.

Domains that require manual registration

The following domain types are restricted from self-service registration:

  • .edu: educational institutions

  • .gov: government agencies

  • .mil: military organizations

  • .int: international treaty organizations

  • Country-variant public TLD subdomains: e.g., .gov.uk, .edu.au

  • University and academic institution domains: specific university domains beyond the .edu TLD

  • Consumer and webmail domains: e.g., Gmail, Yahoo, Outlook

  • Sales-blocked domains: domains flagged for sales assistance

Note: Some domains within these restricted categories are pre-approved on an explicit allow-list and can self-register. If you believe your domain should be allowed, contact Wispr Flow support.

Note: Separately from domain restrictions, emails with all-numeric local parts (e.g., 12345@domain.com) are rejected at signup as a spam-prevention measure.

Important: After initial enterprise setup, adding or changing registered domains requires contacting Wispr Flow support. There is no self-serve domain management interface.

How to get your domain registered

If your domain is restricted and needs manual registration, follow these steps:

  1. Contact Wispr Flow support with your organization name and email domain (e.g., yourschool.edu).

  2. Wait for confirmation that your domain has been registered. Registration is typically completed within one business day.

  3. Configure your identity provider in the admin portal once registration is confirmed.

  4. Activate SSO by completing the connection step in the admin portal. If the connection is not active, verify your IdP settings and retry.

Tip: SSO has a self-healing behavior. If a user attempts to sign in and the connection fields are missing, the system automatically attempts to connect SSO before failing — so SSO often works on the first sign-in attempt without manually running connect.

Tip: Your SSO configuration is saved automatically. You don't need to reconfigure your identity provider after domain registration — just pick up where you left off.

FAQs

My domain isn't .gov, .edu, or .mil, but I still can't register it. What should I do?

University domains, webmail providers (e.g., Gmail, Yahoo), and domains flagged for sales assistance are also restricted. Contact Wispr Flow support with your organization name and email domain.

Can I register multiple domains for my organization?

Yes. Contact Wispr Flow support with the full list of domains to register them all for your enterprise.

Does domain registration support subdomains?

Yes. If yourcompany.com is registered, users with email addresses at subdomains (e.g., mail.yourcompany.com) are also matched.

Is domain matching case-sensitive?

No. Email domains are normalized to lowercase when extracted from a user's email address during signup and SSO sign-in.

What happens to SSO enforcement if our subscription lapses?

SSO enforcement is automatically deactivated when your enterprise subscription is not active, allowing users to sign in via other methods.

What if our organization uses SCIM directory sync?

When SCIM is active, self-service sign-up for users on your domain is blocked. New accounts are created primarily via your identity provider's directory sync. If provisioning fails, affected users may receive an email invitation as a fallback. Successfully provisioned users also receive a welcome notification email.

A few additional notes on SCIM:

  • SCIM enforces a seat cap. If the enterprise is at its seat limit, neither provisioning nor the invite fallback will occur.

  • SCIM silently skips users whose email domain is not registered for the enterprise — no provisioning happens and no invite is sent.

Still need help?

Reach out to our support team if:

  • You're unsure whether your domain requires manual registration.

  • You've been waiting more than one business day for registration confirmation.

  • You need to change or add domains to an existing SSO configuration.

  • You see an error indicating your SSO connection is not active after configuring your IdP settings.

When you reach out, include your organization name, email domain, identity provider, and any error messages you've seen. Most SSO setup issues are resolved in one reply.