Overview
The term SSO (Single Sign-On) can refer to various aspects of Canny. This helps clarify each use of SSO and the available options.
Canny supports three forms of SSO:
SSO through the Canny Widget
Use an SSO token when rendering the Canny Feedback or Changelog Widget. This token allows Canny to authenticate your users and ensure they can view the widget’s data without needing to log into Canny separately. Learn more
Third-Party SSO on Canny
Use a third-party identity provider (e.g., Okta, Microsoft Entra ID, OneLogin, Google Workspace, or OpenID Connect [OIDC]) to authenticate your internal employees. Anyone authenticated through this method will be given admin access to your Canny workspace.
This option is most useful if you want to manage your internal team members through your provider and streamline offboarding by removing them from your provider.
SSO Redirect
Use your application’s authentication flow instead of having users log into Canny directly. Configure a route to authenticate users through your application’s login page, then redirect them back to Canny with a token to complete the login process. A button on the Canny page will direct users to your login page. Learn more
Rule of thumb:
Widget SSO and SSO Redirect work best together. If you are using the widget, you should also enable SSO. That way, if a user navigates to your Canny site, they are still able to access your feedback board once authenticated.
For Non-Technical Stakeholders
Why Use SSO
SSO doesn’t automatically limit access to your feedback board, but it enables you to configure privacy settings that do. By pairing SSO with the appropriate board privacy option (e.g., Custom Access), you can ensure that only verified customers with accounts on your application or website can view and interact with your board.
This keeps feedback focused, private, and relevant, while also protecting sensitive discussions or roadmap items from being viewed by the general public.
What Changes When Switching a Board from Public to SSO via Custom Access
When a board’s privacy setting is changed from Public to SSO (via Custom Access), users who previously had access will no longer be able to log in. They must re-authorize through your required login flow to regain access.
What Users Need to Know
For all three SSO types, the goal is to provide a seamless login experience - users shouldn’t have to take extra manual steps to access your board.
SSO through the Canny Widget
Users accessing the Canny Feedback or Changelog Widget will be automatically authenticated if an SSO token is included. They won’t need to log in separately to view or interact with the content and can remain inside your application.
Third-Party SSO on Canny
This option is for authenticating your internal employees. Users logging into Canny directly can use your chosen ID provider (e.g., Okta, Microsoft Entra ID, OneLogin, Google Workspace, or OpenID Connect [OIDC]). They simply select the provider and log in as they would for your internal tools.
If the board was previously public and is switched to custom access or private, employees will be prompted to log in via your provider before regaining access.
SSO Redirect
Users clicking “Log in” on your Canny board will be redirected to your application’s login page. Once they complete login through your system, they’ll be sent back to Canny and granted access - no extra steps required.
Note: If the board was previously public and is switched to custom access, users will be prompted to log in via your application’s login page when they visit your board to regain access.
Best Practices for Rollout
If you’re switching from a public board to Third-Party SSO or SSO Redirect, you may want to let users know about the change in advance and provide clear guidance on how to log in going forward.
Share an announcement before the switch
Example: “We’re moving our feedback board behind login to better protect and organize feedback.”Add in-product messaging
Include a banner or tooltip: “Use your company account to log in to our new feedback portal.”
Note: For Canny Widget SSO, no user-facing messaging is typically required, as authentication occurs automatically when the widget loads.
Determining which option is best for your team
Follow these questions to determine which SSO option is best for your Canny board:
1. Do you want users to view your feedback board within your application OR by visiting your Canny site?
Within your application, → Use SSO through the Canny Widget.
Best for embedded widgets in your product.
Authentication happens automatically via the SSO token - no extra login screens.
Visit your Canny site → Go to Question 2.
2. Do you want users to authenticate either via an identity provider (e.g., Okta, Microsoft Entra ID, OneLogin, Google Workspace, or OpenID Connect [OIDC]) or through your application’s native login page?
Yes - use an ID provider or native login → Go to Question 3.
No → Consider Public access or Custom Access controls such as Segments or Allowed Domains.
These allow you to manage access without setting up SSO.
Useful if you want to limit access by email domain, customer segment, or other attributes.
3. Are you looking to authenticate internal team members or customers?
Internal team members → Use Third-Party SSO on Canny.
The members visit your Canny board and log in via your configured identity provider.
Customers → Use SSO Redirect.
The user is first sent to your application’s login page.
After logging in, your app generates a unique token and redirects the authenticated user back to Canny.
FAQs
If my user’s account uses a personal email (e.g., personal_example@gmail.com), can they still submit feedback?
Yes, if that’s the email they use to log in to your application. For boards using Third-Party SSO (employees only) or SSO Redirect, the user must log in with the same account they use for your application to access the board, regardless of whether it’s a personal or work email.
Do my users need to create a new account?
No, users do not need to manually create a new Canny account. For boards using Third-Party SSO or SSO Redirect, as long as they log in through your application using their existing credentials, they will be granted access.
If their email already exists in Canny, no new profile is created - we simply confirm their identity. If the email is new to Canny, a new profile will be created automatically during SSO authentication.
Can we show a custom message when users try to log in with the wrong email?
Not within Canny. You must handle that messaging in your own login page or via in-product communications.
Will users lose past posts if they switch emails?
Yes. Posts are not linked unless the email matches.
Can we migrate votes or feedback to the new user account?
Not automatically. Contact Canny support to see if manual migration is possible.
Can we limit the Changelog visibility to users authenticated via SSO?
Yes. Similar to boards, the Changelog can be configured so that only users authenticated via SSO or SSO Redirect can access it. The Changelog help article provides more details.
Quick Reference
Goal | Best Option |
Embedded board inside your application | SSO through the Canny Widget |
Direct login via ID provider, handled by Canny | Third-Party SSO on Canny |
Login through your application’s login page | SSO Redirect |
No SSO, but still limit access | |
Open to everyone | Public boards |
Instructions For Your Engineering Team
1. SSO through the Canny Widget
Goal: Authenticate users directly in the Canny Feedback or Changelog Widget without requiring a separate Canny login.
When to Use It:
You want users to engage with your feedback board/changelog directly within your application
You want your feedback/changelog content to be private, so if anyone unauthenticated visits your Canny page, they are unable to view the content
How It Works:
Include an SSO token when rendering the Canny widget.
Canny uses this token to authenticate the user.
Token Requirements:
Use HS256 for signing.
Sign with your Canny private key (available in your Canny settings).
Token must include all 3 fields: id, name, and email.
Additional details can be found in the Widget documentation.
2. Third-Party SSO on Canny
Goal: Allow internal employees to log into Canny using your identity provider (e.g., Okta, Microsoft Entra ID, OneLogin, Google Workspace, or OpenID Connect [OIDC]).
When to Use It
You want to enforce authentication for employees via your existing ID provider.
You want to manage internal team access centrally and simplify offboarding.
How It Works
Install the Third-Party SSO Integration in Canny settings.
Configure your provider to integrate with Canny. (The Canny Help Center has articles for each supported authentication tool.)
Employees logging into Canny select your provider and authenticate.
Notes
This method is not for authenticating customers or external users.
Canny handles the authentication handshake directly with your provider - no JWT setup required.
When installing the integration, you will be prompted on how to configure the logged-in employees’ admin role
3. SSO Redirect
Goal: Route users trying to access your Canny board through your own authentication flow before granting access.
When to Use It:
You want users who have accounts on your application to view your Canny feedback only.
You want users to log in to Canny through your login system.
How It Works:
A user visits the Canny board.
They click Sign in, and Canny redirects them to your configured SSO Redirect URL (your login page).
Your login page authenticates the user.
Your system generates a signed JWT token and redirects the user back to Canny.
Token Requirements:
Use HS256 for signing.
Sign with your Canny private key (available in your Canny settings).
Token must include all 3 fields: id, name, and email.
Additional details can be found here.
Reach out to us if you would like:
Example code snippets
Email templates to announce the switch
A banner message for your product
Help with testing the implementation
Related Articles: