Single sign-on and security

Single sign-on (SSO)

SSO lets your team sign in using their existing Google or Microsoft accounts instead of managing a separate Campfront password. This simplifies access for your team and gives you more control over who can log in.

Supported providers

• Google - sign in with Google Workspace accounts.

• Microsoft - sign in with Microsoft 365 or Azure AD accounts.

Enabling SSO

Head to Camp settings > Security to manage your SSO providers. You can enable or disable each provider independently. Once enabled, your team will see the corresponding sign-in button on the login page.

Domain restrictions

For each SSO provider, you can configure an allowed domains list. When set, only users with email addresses matching those domains will be able to sign in via that provider. For example, if you restrict Google SSO to yourcamp.com, only team members with a @yourcamp.com Google account can use it.

You can also set a camp-level domain whitelist that applies to all admin sign-ins regardless of method. This is configured under Camp settings > Security and accepts one or more domains. If left blank, any domain is allowed.

Default role for SSO users

Each SSO provider can be configured with a default permission role. When a new team member signs in via SSO for the first time, they'll automatically be assigned this role - saving you from having to set up permissions manually for every new user.

Two-factor authentication (2FA)

Two-factor authentication adds an extra layer of security by requiring a verification code in addition to the password when signing in.

Campfront uses SMS-based verification codes. When 2FA is triggered, a 6-digit code is sent to the user's phone number on file. The code must be entered to complete the sign-in process.

To prevent brute-force attacks, accounts are temporarily locked after multiple failed verification attempts.