Configure SSO

Last updated: April 30, 2026

Available on: Configured in a web browser at admin.wisprflow.ai. Once SSO is set up, members can sign in on Mac, Windows, iOS, and Android.

Let your team sign in to Wispr Flow using your company's identity provider. This guide walks you through configuring SAML-based single sign-on (SSO) in the admin portal — most setups take under 10 minutes.

Before you start

SSO is configured in the Wispr Flow admin portal in any web browser, so the steps are the same regardless of which device you use.

You will need:

  • Access to your organization's identity provider (for example, Okta, Azure AD, or Google Workspace).

  • An Admin, IT Admin, or Superadmin role in your Wispr Flow enterprise. Non-admin members cannot configure SSO.

  • The ability to create a new SAML application in your identity provider.

Note: The IT Admin role is designed for staff who manage team settings, billing, and SSO but don't need to dictate with Wispr Flow. IT Admins do not use a dictation seat. Assign this role from the member table in the admin portal.

How to configure SSO

  1. Open admin.wisprflow.ai in your browser and sign in with a Wispr Flow admin account.

  2. Navigate to Settings → Organization → Authentication.

  3. Check your current SSO status. If you see a Configure SSO button, SSO is not yet set up. If SSO is already configured, you'll see your identity provider name and a connected status.

  4. Click Configure SSO. The WorkOS Admin Portal opens in a new browser tab.

  5. Follow the prompts in the WorkOS portal to:

    1. Select your identity provider.

    2. Set up the SAML app in your identity provider.

    3. Complete the connection.

  6. Open your identity provider's admin console in a new browser tab.

  7. Create a new SAML application for Wispr Flow using the ACS URL, entity ID, and other values provided by the WorkOS Admin Portal.

  8. Assign the users or groups that should have access to Wispr Flow.

  9. Complete the test authentication step (if prompted) by signing in with an account that exists in your identity provider and has been granted access to the Wispr Flow SAML app.

  10. Return to the Wispr Flow admin portal at Settings → Organization → Authentication.

  11. Click Refresh to link the SSO connection. You should see your identity provider name and a connected status — that confirms SSO is live.

Tip: You don't need to manually paste XML metadata or certificates. Follow the prompts in the WorkOS portal and use the links it provides. If test authentication doesn't succeed right away, wait a few minutes for the configuration to propagate, then try again.

Warning: If Refresh returns an error that the SSO connection is not active, the connection in WorkOS is still pending. Return to the WorkOS Admin Portal to complete the remaining configuration steps, then try Refresh again. If Refresh returns "SSO not connected," no WorkOS connection was found for your organization — verify that the connection is associated with your organization in WorkOS.

Optional: Enforce SSO (Flow Enterprise only)

If your organization is on Flow Enterprise, you can require all members to sign in with SSO:

  1. Navigate to Settings → Organization → Authentication.

  2. Enable the Enforce SSO for all members toggle. This toggle only appears after SSO is successfully connected and requires an active Flow Enterprise subscription.

  3. Confirm that members understand they will sign in through your identity provider instead of email and password.

Note: When Enforce SSO is enabled, users with your domain email cannot create new accounts via email sign-up — they must be provisioned through SCIM or SSO. Enterprise subscriptions in active, trialing, or past-due status support SSO enforcement. If your subscription lapses or moves to another status, enforcement is automatically suspended; when the subscription is restored, enforcement resumes automatically without re-enabling the toggle.

Tip: Flow Enterprise organizations also see a Configure SCIM button on this page, which lets admins set up SCIM user provisioning.

FAQs

What if test authentication fails during setup?

If you just created or updated the SAML app, wait a few minutes for the configuration to propagate in your identity provider, then run the test again. Confirm that the user you're testing with is assigned to the Wispr Flow SAML app.

If clicking Refresh shows an error that the SSO connection is not active, WorkOS found your connection but it's still pending. Return to the WorkOS Admin Portal to complete the remaining steps, then try Refresh again. If your SSO configuration appears partially connected, sign in again — the system automatically attempts to re-link your SSO connection from WorkOS before showing an error.

Can users sign in from their identity provider dashboard?

Yes. Wispr Flow supports both SP-initiated login (starting from the Wispr Flow login screen) and IdP-initiated login (clicking the Wispr Flow tile in your identity provider dashboard, such as Okta or Azure AD).

Where do users find the SSO sign-in option on each platform?

First, confirm that SSO appears as connected in Settings → Organization → Authentication. If you've enforced SSO, users must sign in with the work email that matches your identity provider. The button to start SSO sign-in is in a different place on each platform:

  • Mac and Windows: Click Sign in via browser on the login screen, then enter your work email address.

  • Android: Tap Continue with SSO on the login screen, then enter your work email address.

  • iOS: Tap More Options to reveal Continue with SSO, then enter your work email address.

What if users complete IdP login but don't return to Wispr Flow?

Check firewall settings to ensure redirects from your identity provider back to Wispr Flow are allowed. Ask affected users to try again with VPN disabled or on a different network. Ensure the wispr-flow:// URL scheme isn't blocked by your security policies, since SSO relies on deep links to return users to the app.

  • Android: After completing sign-in in the browser, a loading screen stays visible for up to 5 seconds while the app reconnects. If you navigated away from the browser during this time, switch back to Wispr Flow — the sign-in should complete automatically.

  • Windows: If Wispr Flow is already running, the deep link from the browser is forwarded to the existing instance — make sure only one instance is running.

  • Mac and Windows: The browser login session has a 5-minute timeout. If login isn't completed in time, click Sign in via browser again to restart.

Why can't users sign in with email/password or Google/Apple/Microsoft after SCIM is enabled?

Once SCIM provisioning is active for your domain, new users on that domain cannot create accounts using non-SSO methods — they must be provisioned through SCIM and sign in via SSO. For existing users, non-SSO login methods (email/password, Google, Apple, Microsoft) are only blocked when Enforce SSO is also enabled. To fully require SSO for all users — new and existing — enable both SCIM and Enforce SSO.

If SCIM provisioning fails for a user (for example, due to a temporary system error), the system automatically sends an email invitation as a fallback. When SCIM is enabled, member management actions (adding, removing, and inviting members) are locked in the Wispr Flow admin portal — make those changes in your identity provider instead. SCIM provisioning is also limited by your enterprise seat cap; if all seats are filled, new users aren't provisioned until seats are freed.

What is the difference between Enforce SSO and Restrict Domain Access?

Enforce SSO requires all users with your domain to sign in via SSO instead of email/password or social login. Restrict Domain Access is an additional security setting (enabled by contacting Wispr support) that blocks anyone outside your enterprise from signing in with your domain email, even if they already have an account. Both settings require an active Enterprise subscription.

Who should be assigned the IT Admin role?

The IT Admin role is a good fit for IT staff who manage SSO, billing, or team settings but don't need to dictate with Wispr Flow themselves. IT Admins don't use a dictation seat. Assign the role from the role dropdown in the member table, or select it when inviting a new member.

Limitations and notes

  • SSO configuration is available to Admin, IT Admin, and Superadmin roles only.

  • Enforce SSO and Restrict Domain Access require an active Flow Enterprise subscription.

  • SSO uses SAML via WorkOS. Identity providers covered by the setup wizard include Okta, Azure AD, and Google Workspace.

  • On desktop, the browser login session times out after 5 minutes.

  • On Android, a loading screen is shown for up to 5 seconds after the browser redirects back to the app. This is expected — the sign-in completes automatically during this time.

Still need help?

Reach out to our support team if:

  • You can't complete test authentication after waiting and verifying the SAML app configuration.

  • You're using an identity provider that isn't covered by the setup wizard.

  • You need to migrate between identity providers or support multiple SSO connections.

  • Users are consistently redirected to an unexpected page or see repeated SSO errors.

Include your platform, identity provider name, and the steps you've already tried so we can help quickly.