Skip to main content

Overview

Spur uses Supabase Auth as its authentication provider, which enables secure OAuth 2.0-based SSO. Users can sign in to Spur using their existing identity provider credentials — no separate Spur password required.

How SSO Works in Spur

Spur’s SSO uses the OAuth 2.0 / OpenID Connect (OIDC) protocol — the modern industry standard for federated authentication. Here’s the flow when a user signs in:
1

Initiate sign-in

The user clicks Sign in with Microsoft on the Spur login page.
2

Redirect to Microsoft

Spur redirects to Microsoft’s authentication endpoint.
3

Authenticate

The user authenticates with their Microsoft credentials (and MFA, if configured by your organization).
4

Token exchange

Microsoft returns a secure token to Spur confirming the user’s identity.
5

Session created

Spur creates or resumes the user’s session. No Spur-specific password is ever set or stored.

What Spur Supports

ItemDetails
ProtocolOAuth 2.0 / OpenID Connect (OIDC)
Identity ProviderMicrosoft Azure Entra ID (and Google)
Tenant typeMulti-tenant — any Azure Entra organization can connect without per-tenant configuration on Spur’s side
Account typesOrganizational accounts (work/school). Personal Microsoft accounts are not in scope.
User provisioningJust-in-time — a Spur account is automatically created on first successful SSO login
MFA enforcementHonored — if your Azure tenant requires MFA, it will be enforced before Spur grants access
Scopes requestedopenid, email, profile (read-only identity data only)

Current Limitations

The following are not supported at this time. If any of these are requirements for your organization, please reach out to discuss your use case.
  • SAML 2.0 — Spur uses OAuth 2.0/OIDC only, not SAML.
  • Per-tenant app registration — Spur uses a single multi-tenant Azure app registration rather than a dedicated registration per customer.

What Your Organization Needs to Do

For most organizations, no setup is required. Users can sign in with their Microsoft account immediately once Spur enables the provider.

If Your Tenant Restricts Third-Party App Access

Some organizations configure Azure Entra to require admin approval before users can sign into third-party applications. If this applies to your tenant, an Azure admin will need to:
1

Open Enterprise Applications

Navigate to Azure PortalMicrosoft Entra IDEnterprise Applications.
2

Find Spur

Locate the Spur application. It will appear after the first sign-in attempt, or can be added proactively.
3

Grant admin consent

Grant admin consent for the scopes Spur requests: openid, email, and profile.
This is a one-time action that unblocks all users in your organization without each person needing to consent individually.

Restricting Access to Specific Users or Groups

If you want to limit which employees in your organization can access Spur via SSO, an Azure admin can:
  1. In the Spur enterprise application in Entra, enable User assignment required.
  2. Assign specific users or Azure groups who are permitted to sign in.
Without this configuration, any user in your organization’s Azure tenant can sign into Spur.

Data & Security

Spur requests the minimum necessary permissions to authenticate your users. Spur does not request access to email content, calendar, files, or any other Microsoft 365 data.

Scopes Spur Requests from Microsoft

  • openid — Required to use OpenID Connect for authentication
  • email — The user’s email address, used as their Spur account identifier
  • profile — Basic profile info (name), used to populate the user’s Spur profile

Questions?

If you have questions about SSO configuration, compliance requirements, or want to discuss your organization’s specific setup, please contact your Spur account representative.

Contact Us

Reach out to the Spur team for SSO support.