# Configure SAML SSO overview {% hint style="success" %} **Access Type**: Organization Settings - Editor **Premium Feature**: SSO {% endhint %} Single Sign-On (SSO) is an authentication process that allows users to access multiple applications or systems with one set of login credentials. In this article, we will provide a general overview for how to configure SSO using the SAML 2.0 standard protocol. * [SP-initiated vs IdP-initiated](#sp-initiated-vs-idp-initiated) * [Retrieve SSO SAML identifiers](#retrieve-sso-saml-identifiers) * [Configure identity provider](#configure-identity-provider) * [Retrieve identity provider metadata](#retrieve-identity-provider-metadata) * [Add identity provider metadata ](#add-identity-provider-metadata) * [Test and complete SSO configuration](#test-and-complete-sso-configuration) {% hint style="info" %} For your convenience, Didomi offers dedicated resources for the following identity providers * [Microsoft Entra ID](/organization-and-account-settings/single-sign-on-sso/microsoft-entra-id.md) * [Google SSO](/organization-and-account-settings/single-sign-on-sso/google-sso.md) * [Okta](/organization-and-account-settings/single-sign-on-sso/okta.md) * [OneLogin](/organization-and-account-settings/single-sign-on-sso/onelogin.md) If your organization's identity provider is not on the above list please continue with the instructions presented below. {% endhint %} *** ### SP-initiated vs IdP-initiated SSO can either be initiated from the Service Provider (SP-initiated SSO) or initiated from the Identity Provider (IdP-initiated SSO).
InitiationDescription
SP-initiated SSOStarts at the Service Provider (SP) when the user attempts access to a specific application.
IdP-initiated SSOStarts at the Identity Provider (IdP) and is oftentimes a centralized dashboard or portal from which which the user selects the application to access.
The Didomi SAML SSO solution is SP-initiated. Ensure that this initiation is reflected accordingly in your organization's identity provider (i.e. your organization's IdP may ask you to provide this configuration). ### Retrieve SSO SAML identifiers To start, your organization needs to retrieve the SSO SAML identifiers from the Didomi console to continue setup in your identity provider. Click **My organization** and selecting **Single Sign-on** from the drop-down menu.
Use the provided fields in the **Get your SSO SAML identifiers** step to record the following:
IdentifiwerDescription
Configured issuerYour organization's identity provider's unique identifier within the Didomi console.
Login URLWhere user will be redirected after successful login on the identity provider.
Logout URLWhere user will be redirected after successful logout on the identity provider.
Click **Continue** when finished. ### Configure identity provider With your organization's copied SSO SAML identifiers from the Didomi console, navigate to your identity provider and input the values in the corresponding fields. When finished, locate where your organization configures the email claim with the identity provider and configure the following: {% hint style="warning" %} **Note**: Configuring the email claim is a required step and your organization's SSO SAML configuration will not be complete if this step is not performed. {% endhint %} | Name | ** | | ----------- | ---------------------------------------------------------------------- | | Name format | URI Reference | | Value | user.email | ### Retrieve identity provider metadata Once the configuration within the identity provider is complete, locate the following metadata and copy the values:
MetadataDescription
X509 certificateThe SAML Signing Certificate from your identity provider in CER base64 format.
Login URLSign In (or login) URL from your identity provider.
Logout URL

Logout URL from your identity provider.

Note: This field may be optional for some identity providers. In this case the Login URL will be used instead.

### Add identity provider metadata With the metadata from your identity provider copied, navigate back to the SSO configuration within the Didomi console and input those values in the provided fields for the **Setup SSO settings** step.
Click **Continue** when finished. ### Test and complete SSO configuration Didomi will verify the identity provider metadata. When successful, utilize the **Domain(s)** field to add email domains to which the SAML authentication will be restricted (*i.e. only users whose emails have this domain will be allowed to login with SSO SAML*). {% hint style="warning" %} For security, the domain added to the **Domain(s)** field must match the email domain of the user performing the configuration (e.g. `didomi.io` can only be added if the user adding it is signed into the Didomi console using an `@didomi.io` email address. To add more than one domain, please contact the Didomi support team via chat or email at . {% endhint %}
Click **Save settings**. When finished, follow your identity provider's instructions on managing a user's access to the Didomi console application. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.didomi.io/organization-and-account-settings/single-sign-on-sso/configure-saml-sso-overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.