Verify your domain for SSO

Last updated: June 5, 2026

Available on: Mac, Windows, iOS, Android. Domain registration and SSO configuration happen in a web browser.

If you're setting up SSO and your organization uses a .edu, .gov, .mil, or university domain, self-service registration is blocked until support adds your domain to your enterprise account. This guide walks you through getting your domain registered so you can finish SSO setup.

Important: SSO requires an enterprise account. SSO enforcement (requiring all users to sign in via SSO) requires an active enterprise subscription.

How to get your domain registered

Most standard commercial domains (e.g., yourcompany.com) are registered automatically when an enterprise account is created. If your domain is restricted, follow these steps to register it manually.

  1. Contact Wispr Flow support with your organization name, email domain (e.g., yourschool.edu), and identity provider if known.

  2. Wait for confirmation that your domain has been registered. This is typically completed within one business day.

  3. Configure your identity provider in the admin portal under Settings → Authentication once registration is confirmed.

  4. Activate SSO by completing the connection step in the admin portal. If you see "Failed to connect to SSO provider," verify your IdP settings and click Refresh your SSO connection.

  5. Enable the Enforce SSO toggle (optional) once the status reads "Connected to [provider] for single sign-on."

Tip: SSO usually connects automatically on the first sign-in attempt, so the explicit connection step often succeeds on its own. Your SSO configuration is saved as you go — if support registers your domain after you've configured your IdP, you can pick up where you left off.

Warning: Once SSO enforcement is on, users who try Google, Apple, Microsoft OAuth, or email/password sign-in will be blocked and must use "Continue with SSO" instead.

Limitations and notes

Domains that require manual registration:

  • .edu, .gov, .mil, .int: educational, government, military, and international treaty organizations. Country variants (e.g., .gov.uk, .edu.au) are also matched.

  • University and academic institution domains outside the .edu TLD.

  • Sales-blocked domains flagged for sales assistance.

Some domains within these categories are pre-approved and can self-register. If you think yours should be allowed, contact support.

Sign-in differences by platform:

  • iOS: SSO is hidden by default. Tap "More options" on the sign-in screen, then choose "Continue with SSO" and enter your email.

  • Android: All sign-in options, including SSO, are visible by default.

  • Mac and Windows: Sign-in goes through your browser via a single "Sign in via browser" button — there's no in-app SSO selector.

Email format restrictions at signup and sign-in:

  • Emails with all-numeric local parts (e.g., 12345@domain.com) are rejected. The user sees "Invalid email address."

  • Email addresses with "+" aliases (e.g., name+tag@domain.com) are rejected with "Email aliases with + are not supported. Use your original email address."

Warning: Enterprise organizations may enforce an IP allowlist separately from SSO. Users outside the approved network see a "Your network isn't allowed" lockout screen instead of the sign-in flow, on both desktop and the enterprise web portal.

Note: Adding or changing registered domains after initial setup requires contacting support — there is no self-serve domain management interface.

FAQs

My domain isn't .gov, .edu, or .mil, but I still can't register it. Why?

University domains and domains flagged for sales assistance are also restricted. Contact support and they'll register it for you.

Can I register multiple domains for my organization?

Yes. Send support the full list of domains and they'll register them all for your enterprise.

Does domain registration cover subdomains?

Yes. If yourcompany.com is registered, users at subdomains like mail.yourcompany.com are matched too.

Is domain matching case-sensitive?

No. Email domains are normalized to lowercase during signup and SSO sign-in.

What happens to SSO enforcement if our subscription lapses?

SSO enforcement is automatically turned off when your enterprise subscription is no longer active, so users can sign in via other methods.

What if our organization uses SCIM directory sync?

When SCIM is active, self-service sign-up for users on your domain is blocked. New accounts are created through your identity provider's directory sync, and provisioned users receive a welcome email. If provisioning fails, affected users may get an email invitation as a fallback.

  • SCIM enforces a seat cap. At the seat limit, neither provisioning nor the invite fallback will run.

  • SCIM silently skips users whose email domain isn't registered for the enterprise — no provisioning, no invite.

Does SSO work from my identity provider's dashboard?

Yes. SSO works whether you start from the Wispr Flow sign-in screen (SP-initiated) or from a tile in your IdP dashboard such as Okta (IdP-initiated).

Still need help?

Reach out to our support team if:

  • You're not sure whether your domain requires manual registration, or it's been more than one business day since you requested it.

  • You need to change or add domains to an existing SSO configuration.

  • You see an SSO connection error in the admin portal after configuring your IdP, or your end users see an "SSO not configured" page.

Include your organization name, email domain, identity provider, and any error messages you've seen. Most SSO setup issues are resolved in one reply.