IT
Dev
Squarespace
Enterprise SSO
OIDC-based single sign-on between Squarespace Enterprise and Azure AD — giving a multi-entity organization seamless, secure, centrally-managed login across all Squarespace properties without separate credentials.
OIDC
Auth protocol
2x
Entities on one IdP
Zero
Separate credentials
Azure
Identity provider
Overview
What this integration does
Squarespace Enterprise SSO allows users to authenticate to a Squarespace-hosted site using their existing organizational identity — in this case, Azure Active Directory — rather than managing a separate Squarespace login. When a user visits the Squarespace login page, they are redirected to Microsoft's identity platform, authenticate with their Azure AD credentials, and are returned to Squarespace with an active session.
For a multi-entity organization managing multiple Squarespace properties under a single Azure AD tenant, this means one set of credentials, centralized access control, conditional access policy enforcement, and full audit logging — all managed from the same place as every other identity in the environment.
Architecture
Authentication flow
OIDC Authorization Code Flow
User
Browser / device
→
Login request
Squarespace
Service provider
→
OIDC redirect
Azure AD
Identity provider
→
Auth + token
Squarespace
Session created
→
Access granted
User
Logged in
Technical detail
How the token exchange works
OIDC Authorization Code Flow — step by step
Active
1
User initiates login
User navigates to the Squarespace login page. Squarespace detects SSO is configured and generates an authorization request.
GET /authorize?response_type=code&client_id=...&redirect_uri=...&scope=openid+profile+email
2
Redirect to Azure AD
The user is redirected to Microsoft's identity platform login endpoint. Azure AD presents the org's login experience — including MFA if required by conditional access policy.
login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
3
Authorization code issued
On successful authentication, Azure AD returns an authorization code to the registered redirect URI on Squarespace's end.
redirect_uri?code=eyJ0...&state=...
4
Token exchange
Squarespace exchanges the authorization code for an ID token and access token using the client ID and client secret registered in the Azure AD app registration.
POST /token — client_id + client_secret + code → id_token + access_token
5
Identity validated, session created
Squarespace validates the ID token against Azure AD's public keys, extracts the user's identity claims (email, name, groups), and creates an authenticated session.
sub · email · name · groups → Squarespace user session
Configuration
Key settings configured
| Setting | Value / format | Notes |
|---|---|---|
| Client ID | Azure AD App Registration GUID | Unique identifier for the Squarespace OIDC app registered in Azure AD. Provided to Squarespace during setup. |
| Client Secret | Azure AD generated secret value | Time-limited credential used during token exchange. Must be rotated before expiry to avoid authentication outages. |
| Tenant ID | Azure AD Directory (tenant) ID | Scopes authentication to the specific Azure AD tenant — prevents cross-tenant login attempts. |
| Redirect URI | https://[domain]/auth/callback | Registered in Azure AD app. Azure AD will only return authorization codes to this exact URI. |
| Scopes | openid profile email | Minimum claims needed for Squarespace to identify the user and create a session. |
| Token endpoint auth | client_secret_post | Client credentials sent in the POST body during token exchange, not as a header. |
Components
What's involved
Azure AD App Registration
OIDC application registered in Azure AD representing Squarespace as a trusted service provider. Holds the client ID, secret, and redirect URIs.
Identity provider side
Squarespace Enterprise SSO
Enterprise-tier Squarespace feature that accepts OIDC configuration and delegates authentication to the configured identity provider.
Service provider side
Microsoft 365 Tenant
The underlying M365 environment that backs Azure AD — providing user accounts, group memberships, MFA enforcement, and conditional access policies.
Underlying platform
OIDC / OAuth 2.0
The open standard protocol stack that makes this possible — OpenID Connect layered on OAuth 2.0, providing both authentication and authorized identity claims.
Protocol layer
Conditional Access
Azure AD conditional access policies applied at authentication time — enforcing MFA, device compliance, and location-based access rules on every Squarespace login.
Policy enforcement
Audit Logs
Every SSO login attempt — successful or failed — is recorded in Azure AD's sign-in logs with timestamp, user, device, IP, and outcome.
Visibility & compliance
Scope of work
What was configured and managed
Azure AD configuration
- Registered Squarespace as an OIDC app in Azure AD app registrations
- Configured redirect URIs and token endpoint settings
- Generated and managed client secret with documented expiry
- Assigned user and group access scopes to the app registration
- Configured token claims to surface required user attributes
Squarespace configuration
- Enabled SSO on the Squarespace Enterprise account
- Entered OIDC provider metadata — tenant ID, client ID, and secret
- Configured user provisioning mode and fallback login behavior
- Tested login flow end-to-end across both entity domains
- Coordinated with Squarespace support for enterprise-side setup steps
Identity & access management
- Scoped access to specific Azure AD security groups per entity
- Applied conditional access policies to SSO login path
- Configured MFA requirement for all Squarespace SSO authentications
- Set up sign-in log monitoring for failed authentication alerts
Ongoing maintenance
- Documented full configuration for internal knowledge base
- Established client secret rotation schedule before expiry
- Monitored Azure AD sign-in logs for anomalous login patterns
- Managed user provisioning and de-provisioning through Azure AD
Tech stack
Built with
Azure Active Directory
Identity provider
Squarespace Enterprise
Service provider
OpenID Connect
Auth protocol
Microsoft 365
Underlying platform
Conditional Access
Policy enforcement
Azure Sign-in Logs
Audit & monitoring
Outcomes
Results
Single sign-on live
Users across the organization authenticate to Squarespace properties with their existing Azure AD credentials — no separate passwords to manage.
Centralized access control
Adding or revoking Squarespace access is handled entirely through Azure AD group membership — no Squarespace admin action required.
MFA enforced on all logins
Azure AD conditional access applies MFA requirements at the SSO layer — every Squarespace login is covered by the org's authentication policy.
Full audit trail
Every login attempt is recorded in Azure AD sign-in logs with user, device, IP, location, and outcome — searchable and exportable for compliance.
Multi-entity coverage
Both organizational entities operate under the same SSO configuration — one Azure AD tenant, one app registration, unified identity management.
Documented & maintainable
Full configuration documented internally including secret rotation schedule, ensuring the integration remains stable and maintainable long-term.
Need SSO or identity integration work?
OIDC, SAML, Azure AD, or M365 — if you need identity infrastructure built or maintained properly, let's talk.