SSO Login

The One Stack uses Microsoft Entra ID (formerly Azure AD) for single sign-on. One authentication gets you into all 31 products.

How It Works

1. You navigate to my.theonestack.com or any product
2. Click Sign in with Microsoft
3. Microsoft Entra handles authentication (including your org's MFA policies)
4. Hub issues a signed session token (JWT) stored as a secure cookie
5. Every product reads this token to identify you — no additional login required

The session token contains your identity, organization, role, and product entitlements. Products trust this token because Hub signs it with a secret only the platform knows.

Session Duration

• TTL: 8 hours from login
• Cookie: hub_session on the .theonestack.com domain
• Flags: HttpOnly, Secure, SameSite=Lax

After 8 hours, you'll be redirected to sign in again. There is no "remember me" option that extends this — the 8-hour window is a security measure.

Supported Identity Providers

Hub authenticates through Microsoft Entra ID. This supports:

• Microsoft 365 Business accounts
• Microsoft 365 Enterprise accounts
• Azure AD B2C tenants
• Any identity provider federated through Entra (ADFS, Okta via federation, etc.)

ℹ️Your Entra tenant's conditional access policies, MFA requirements, and sign-in risk policies are all enforced during the Microsoft authentication step — before Hub ever issues a token.

Multi-Device Sessions

You can be signed in on multiple devices simultaneously. Each device receives its own session token. Signing out on one device does not affect sessions on other devices.

Cross-Product SSO

When you navigate from one product to another (e.g., PSA to CRM), you don't need to re-authenticate. The Hub session cookie is shared across all *.theonestack.com subdomains.

For products on custom domains, Hub issues a short-lived SSO token (60 seconds) that the target product exchanges for a local session.

Account Security

Hub enforces account lockout after repeated failed attempts:

• 5 failed attempts triggers a 15-minute lockout
• Failed attempts and lockouts are recorded in the audit log
• Account status is tracked: active, suspended, invited, or deactivated

Bearer Token Authentication

For API integrations and cross-domain calls, Hub also supports bearer token authentication:

Authorization: Bearer {hub_session_jwt}

This is the same JWT stored in the session cookie, passed as an HTTP header instead.

Troubleshooting

• Login loop — See Troubleshooting > SSO login loop
• "You don't have access" — See Troubleshooting > Access denied
• Session expiring too quickly — The 8-hour TTL is fixed and cannot be extended. If you're being logged out sooner, check your Entra conditional access policies.