Single Sign-On
Single Sign-On (SSO) lets your team log in to DPC Pro using credentials from your organization’s identity provider, reducing password fatigue and centralizing access control.
If your practice uses an identity provider like Google Workspace, Microsoft Entra ID (Azure AD), or Okta, you can connect it to DPC Pro for SSO. Team members log in with their existing organizational credentials instead of managing a separate DPC Pro password.
SSO simplifies onboarding, improves security through centralized authentication, and makes offboarding immediate when a team member’s organizational account is deactivated.
SSO configuration is available to practice managers and requires coordination with your identity provider administrator.
Supported Identity Providers
Section titled “Supported Identity Providers”DPC Pro uses the OpenID Connect (OIDC) standard for SSO. Any identity provider that supports OIDC can be connected, including:
| Identity Provider | Protocol | Notes |
|---|---|---|
| Google Workspace | OIDC | Recommended for practices using Google apps |
| Microsoft Entra ID (Azure AD) | OIDC | Recommended for practices using Microsoft 365 |
| Okta | OIDC | Common in larger healthcare organizations |
| Other OIDC-compliant providers | OIDC | Any provider supporting the OIDC standard |
Set Up SSO
Section titled “Set Up SSO”Setting up SSO requires configuration on both your identity provider and DPC Pro. You will need access to your identity provider’s admin console and a DPC Pro account with the Owner or Administrator role.
Overview of the setup process
Section titled “Overview of the setup process”- In your identity provider, register DPC Pro as a new OIDC application.
- Configure the required redirect URIs and scopes.
- Copy the client credentials from your identity provider.
- In DPC Pro, enter the identity provider details and client credentials.
- Test the connection by logging in with an existing team member’s account.
Required scopes and claims
Section titled “Required scopes and claims”DPC Pro requires the following OIDC scopes and claims from your identity provider:
- Scopes:
openid,email,profile - Required claim:
email: DPC Pro matches users by their email address
How SSO Login Works
Section titled “How SSO Login Works”When SSO is configured, the login flow works as follows:
- A team member navigates to your practice’s DPC Pro login page.
- They select Log in with SSO (or are automatically redirected if SSO is the default).
- The browser redirects to the centralized DPC Pro authentication service.
- The authentication service redirects to your identity provider’s login page.
- The team member enters their organizational credentials (or is already authenticated).
- The identity provider validates the credentials and sends a confirmation back to DPC Pro.
- DPC Pro verifies the user’s email matches an existing account and that the account is active.
- The team member is logged in and redirected to their dashboard.
Session handling with SSO
Section titled “Session handling with SSO”- SSO sessions are managed through DPC Pro’s centralized authentication service.
- Logging out of DPC Pro also ends the session with the authentication service.
- If your identity provider session is still active, you may be able to log back in without re-entering credentials.
- DPC Pro periodically refreshes the SSO session in the background to maintain access.
SSO and Role Assignment
Section titled “SSO and Role Assignment”SSO handles authentication (verifying identity) but does not control authorization (what the user can do). Roles and permissions are always managed within DPC Pro.
- When a team member logs in via SSO for the first time, they are matched to their existing DPC Pro account by email address.
- Their role (Owner, Administrator, Staff, Billing Specialist, Viewer) is determined by the role assigned to their account in DPC Pro, not by any groups or roles in the identity provider.
- To change a team member’s role, update it in DPC Pro under Settings —> Team Members. See Staff Roles and Permissions for details on each role. Identity provider group changes do not affect DPC Pro permissions.
Troubleshooting SSO
Section titled “Troubleshooting SSO””User not found” or “Contact your administrator” error
Section titled “”User not found” or “Contact your administrator” error”This means the email address from your identity provider does not match any existing DPC Pro account. Verify that:
- The team member has an active DPC Pro account.
- The email address in the identity provider matches the email address on the DPC Pro account exactly.
- The DPC Pro account has not been deactivated.
Login redirects back to the login page without an error
Section titled “Login redirects back to the login page without an error”- Check that the redirect URIs in your identity provider are configured correctly.
- Confirm that the OIDC client credentials in DPC Pro match those in your identity provider.
- Check that the required scopes (
openid,email,profile) are enabled.
Team member cannot log in after being invited
Section titled “Team member cannot log in after being invited”The team member must first accept their DPC Pro invitation and create their account before SSO login will work. SSO matches users by email. If the account does not exist yet, the login is rejected.
Fallback to email and password
Section titled “Fallback to email and password”If SSO is temporarily unavailable (for example, during an identity provider outage), team members with a DPC Pro password can log in directly with their email and password on the standard login page.
Related Pages
Section titled “Related Pages”- Your Account and Login
- Role-Based Access Control
- HIPAA Compliance and Data Protection
- Audit Logging
- Data Ownership and Portability
Need Help?
Section titled “Need Help?”If you need help setting up SSO, reach out to the DPC Pro support team at [email protected] or visit the login troubleshooting guide.