Configure SSO

Last updated: June 5, 2026

Available on: Configured in a web browser at admin.wisprflow.ai. Once SSO is set up, members can sign in on Mac, Windows, iOS, and Android.

Let your team sign in to Wispr Flow with your company's identity provider. This guide walks you through configuring SAML single sign-on (SSO) in the admin portal. Most setups take under 10 minutes.

Before you start

SSO is configured in the Wispr Flow admin portal in any web browser, so the steps are the same regardless of which device you use.

You will need:

  • Access to your organization's identity provider (for example, Okta, Azure AD, or Google Workspace).

  • An Admin, IT Admin, or Superadmin role in your Wispr Flow enterprise. Non-admin members cannot configure SSO.

  • The ability to create a new SAML application in your identity provider.

Note: Only Member, Admin, and IT Admin appear in the role dropdown. Superadmin is an internal role and isn't shown in the dropdown. The IT Admin role is designed for staff who manage SSO, billing, and team settings but don't dictate with Wispr Flow — it doesn't consume a paid seat. See the IT Admin FAQ below for details.

How to configure SSO

  1. Open admin.wisprflow.ai in your browser and sign in with a Wispr Flow admin account.

  2. Navigate to Settings → Organization → Authentication.

  3. Check your current SSO status. If you see a Configure SSO button, SSO is not yet set up. If SSO is already configured, your identity provider name and a connected status appear here.

  4. Click Configure SSO. The SSO setup portal opens in a new browser tab.

  5. Follow the prompts in the setup portal to:

    1. Select your identity provider.

    2. Set up the SAML app in your identity provider.

    3. Complete the connection.

  6. Open your identity provider's admin console in a new browser tab.

  7. Create a new SAML application for Wispr Flow using the ACS URL, entity ID, and other values provided by the setup portal.

  8. Assign the users or groups that should have access to Wispr Flow.

  9. Complete the test authentication step (if prompted) by signing in with an account that exists in your identity provider and has been granted access to the Wispr Flow SAML app.

  10. Return to the Wispr Flow admin portal at Settings → Organization → Authentication.

  11. Click Refresh to link the SSO connection. Your identity provider name and a connected status will appear. This confirms SSO is live.

Tip: You don't need to manually paste XML metadata or certificates. Follow the prompts in the setup portal and use the links it provides. If test authentication doesn't succeed right away, wait a few minutes for the configuration to propagate, then try again.

Warning: If Refresh returns an error that the SSO connection is not active, the connection is still pending. Return to the SSO setup portal to complete the remaining configuration steps, then try Refresh again. If Refresh returns "SSO not connected," verify that the connection is associated with your organization.

Optional: Enforce SSO (Flow Enterprise only)

If your organization is on Flow Enterprise, you can require all members to sign in with SSO:

  1. Navigate to Settings → Organization → Authentication.

  2. Enable the Enforce SSO for all members toggle. This toggle only appears after SSO is successfully connected and requires an active Flow Enterprise subscription.

  3. Confirm that members understand they will sign in through your identity provider instead of email and password.

Warning: When Enforce SSO is enabled, it blocks all non-SSO sign-in methods (email/password, Google, Apple, and Microsoft) for users on the enforced domain. Existing users with prior sign-in methods will be forced to switch to SSO.

How enforcement responds to subscription status:

  • Enforcement stays active while your Enterprise subscription is in good standing, including during a trial or a brief period when payment is past due — so users continue to be required to use SSO even if the enterprise is behind on payment.

  • Enforcement pauses if the subscription is canceled, and resumes automatically when the subscription returns to good standing — you don't need to re-enable the toggle.

IP allowlist and network restrictions

Enterprise admins can restrict Wispr Flow access to specific networks by configuring an IP allowlist at Settings → Organization → Network access in the admin portal. When a user connects from a network that isn't on the approved list, they are automatically signed out and shown a lockout screen.

Note: The Network access section is only visible to Enterprise customers who have had this feature enabled by Wispr — it is not visible to all Enterprise plans by default. IP allowlist enforcement is supported on Mac, Windows, and iOS today. Android does not yet enforce the allowlist: Android users on a non-allowed network will not be signed out or shown the lockout screen.

Configuration limits:

  • Maximum of 64 CIDR entries.

  • Wildcard CIDRs (0.0.0.0/0, ::/0) are rejected.

  • To disable the allowlist, omit the setting entirely — an empty list is not allowed.

  • Allowlist changes take effect quickly across active sessions.

  • A locked-out admin can still read their current IP address from the lockout screen, which helps you add the correct address to the allowlist.

If users report seeing "Your network isn't allowed," see the FAQ below or Login Issues with Wispr Flow for full troubleshooting steps.

FAQs

What if test authentication fails during setup?

If you just created or updated the SAML app, wait a few minutes for the configuration to propagate in your identity provider, then run the test again. Confirm that the user you're testing with is assigned to the Wispr Flow SAML app.

If clicking Refresh shows a connection error, see the warning callout in the steps above. Signing in again will automatically retry linking your SSO connection before showing an error.

Can users sign in from their identity provider dashboard?

Yes. Wispr Flow supports both SP-initiated login (starting from the Wispr Flow login screen) and IdP-initiated login (clicking the Wispr Flow tile in your identity provider dashboard, such as Okta or Azure AD).

Where do users find the SSO sign-in option on each platform?

First, confirm that SSO appears as connected in Settings → Organization → Authentication. If you've enforced SSO, users must sign in with the work email that matches your identity provider. The button to start SSO sign-in is in a different place on each platform:

  • Mac and Windows: Click Sign in via browser on the login screen, then enter your work email address.

  • Android: Tap Continue with SSO on the login screen, then enter your work email address.

  • iOS: Tap More Options to reveal three buttons (Continue with Microsoft, Continue with SSO, and Continue with Email), then tap Continue with SSO and enter your work email address.

What if users complete IdP login but don't return to Wispr Flow?

Check firewall settings to ensure redirects from your identity provider back to Wispr Flow are allowed. Ask affected users to try again with VPN disabled or on a different network. Confirm that the wispr-flow:// URL scheme isn't blocked by your security policies, since SSO uses it to return users to the app.

  • Android: After completing sign-in in the browser, a loading screen stays visible for up to 5 seconds while the app finishes signing you in. If you navigated away from the browser during this time, switch back to Wispr Flow — the sign-in completes automatically.

  • Windows: Make sure only one instance of Wispr Flow is running, so the sign-in from the browser lands in the right place.

  • Mac and Windows: If you don't complete browser sign-in within 5 minutes, the desktop login screen resets — click Sign in via browser again to restart. Transient network drops are handled automatically and don't end the session.

Why can't users sign in with email/password or Google/Apple/Microsoft after SCIM is enabled?

SCIM only blocks new account creation for users on your domain who don't already have an account. They must be provisioned through SCIM and sign in via SSO. Existing users are not blocked from other sign-in methods by SCIM alone. To require SSO for everyone, enable both SCIM and Enforce SSO.

When SCIM is enabled, member management (adding, removing, and inviting members) is locked in the Wispr Flow admin portal. Make those changes in your identity provider instead. SCIM provisioning is also limited by your enterprise seat cap; if all seats are filled, new users aren't provisioned until seats are freed.

Additional operational details:

  • When SCIM is enabled, attempting to invite or remove members in the admin portal returns the explicit error: "User management is controlled by your identity provider via SCIM. Please add or remove users through your identity provider."

  • When a SCIM-provisioned user is deleted in the IdP, any pending invitations for them are also revoked.

What is the difference between Enforce SSO and Restrict Domain Access?

Enforce SSO requires all users on your domain to sign in via SSO instead of email/password or social login. Restrict Domain Access is a Wispr-controlled gate (not a customer-settable toggle) that must be enabled by Wispr staff — contact support to request it. It blocks anyone outside your enterprise from signing in with your domain email, even if they already have an account.

Restrict Domain Access only takes effect after the system attempts to auto-add the user to the enterprise, so users who would be auto-added based on a verified domain are not blocked. Both features require an active Enterprise subscription.

What if users see "Your network isn't allowed"?

This screen appears when a user connects from a network not on your organization's IP allowlist. The user is signed out and shown a lockout screen with Retry and Sign out buttons.

To resolve this:

  • Check your IP allowlist at Settings → Organization → Network access and confirm all expected office IPs, VPN exit IPs, and remote locations are included.

  • If users recently switched to a new VPN or office network, add the new IP range to the allowlist.

  • Users can click Retry after switching to an approved network.

For more details, see Login Issues with Wispr Flow.

Who should be assigned the IT Admin role?

The IT Admin role is a good fit for IT staff who manage SSO, billing, or team settings but don't need to dictate with Wispr Flow themselves. IT Admins don't use a dictation seat, and IT Admin does not count toward the enterprise seat cap. SCIM cannot assign IT Admin — provisioned users come in as Member. Assign the role from the role dropdown in the member table, or select it when inviting a new member.

If a user with an IT Admin seat opens the Wispr Flow desktop app, they see a non-dismissable modal titled "You cannot use Wispr Flow as an IT Admin" with two options: Sign out, or open the Admin Portal. If their seat is upgraded to Admin in the Admin Portal, the modal automatically clears when focus returns to the app — no sign-out/sign-in needed.

Limitations and notes

  • Enforce SSO and Restrict Domain Access require an active Flow Enterprise subscription.

  • SSO is configured through the SSO setup portal. The setup wizard supports a wide range of identity providers; the specific IdPs available may change over time. Common providers include Okta, Microsoft Entra ID (Azure AD), and Google Workspace.

  • On desktop, the browser login session times out after 5 minutes.

  • On Android, a loading screen is shown for up to 5 seconds after the browser redirects back to the app. This is expected — the sign-in completes automatically during this time.

Still need help?

Reach out to our support team if:

  • You can't complete test authentication after waiting and verifying the SAML app configuration.

  • You're using an identity provider that isn't covered by the setup wizard, or you need to migrate between identity providers or support multiple SSO connections.

  • Users are consistently redirected to an unexpected page or see repeated SSO errors.

  • Users see "Your network isn't allowed" and you need help configuring the IP allowlist.

Include your platform, identity provider name, and the steps you've already tried so we can help quickly.