Your organization
Access management
Single Sign-on
6 min
this feature is available to enterprise customers single sign on (sso) allows you to use your own provider of user account management, authentication, and authorization services to register and log in to {{product name}} {{product name}} supports the following protocols open id connect (oidc) saml 2 {{product name}} supports the following identity providers (idps) okta ( docid\ q0sypmv8 3mmt nikfl2k ) microsoft ad ( docid\ lefn8ytgnmloiwhcpaeum docid\ vh6038lspdoxxxc u4vmg ) google ( docid\ c2tfqhgm9uqannl5dwzhk ) you configure sso for each of your organizations separately you can prevent your organization members from accidentally creating their own self service accounts by docid\ sox7tiacddv9bdkvh5kj2 after you set up sso, claim your email domain so {{product name}} can recognize your new users any new user who signs in with your claimed email domain gets a prompt to use sso enable single sign on using open id connect (oidc) and saml 2 0 double check your sso configuration before you click save on the sso settings page when you click save , {{product name}} enables sso with the settings you provided you will be logged out immediately you won't be able to log in with your {{product name}} credentials anymore click organization in the left sidebar click the sso tab click sso configuration enter a namespace you can enter any text that describes your organization users will need to enter your organization's namespace on the sso login page namespace must include only lowercase characters and dashes an underscore may lead to errors select an sso type fill in the protocol specific information as described in either the docid\ ku5mtx5grj5dbqawsjlk0 or docid\ ku5mtx5grj5dbqawsjlk0 section of this article under team provisioning for new user , select which teams new users who log in will become members of you can choose to not add new users to any team click save {{product name}} enables sso with the settings you provided and logs you out immediately you can now log in with your sso provider credentials at the same time, you receive an email with a one time link, which you can click to disable sso when logging in using sso for the first time, you must use an account that is the owner of the organization and has the same email address as the account that you used to configure sso make sure that you assign the same email address to the user in your identity provider open id connect (oauth 2 0 settings) the following fields appear once you select oauth 2 0 from the sso menu true 182,182,182left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type saml 2 0 settings the following fields appear once you select saml 2 0 from the sso menu true 156,100,100left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type saml certificate rotation for more information on rotating your service provider certificate, see our article on docid 4wjm5akj6vmc7a ga63ay create and enter login iml resolve to support a broad choice of identity providers (idps), {{product name}} lets you map values related to identifying users the iml resolve maps the values from your idp to {{product name}} 's internal values by using iml, a javascript based function notation your iml resolve must be specific to your idp you must map the following properties true 288,289left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type in the following example, the resolve maps the following values true 288,289left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type javascript { "email" "{{get(user attributes email, 1)}}", "name" "{{get(user attributes firstname, 1)}} {{get(user attributes last}} "id" "{{user name id}}" } log in using sso when {{product name}} is configured to use sso, users don't use the default sign in form instead, they use the dedicated sso sign in options go to https //www make com/en/login click sign in with sso enter the namespace you chose for your organization log in using your identity provider and consent to {{product name}} 's access to your user data the user is now logged in if the user was not assigned to your organization before, the system creates a new user account for them and assigns them to the selected default team if a user with the same email address already existed in the organization before you configure sso, they will not have access to the organization's data to solve this, delete the user from the organization and ask them to log in again using sso