> ## Documentation Index
> Fetch the complete documentation index at: https://docs.firstresonance.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up SSO

> Connect your identity provider to ION so your team can sign in with their existing company credentials.

Enterprise SSO lets your team sign in to ION using your company's identity provider (IdP): Okta, Microsoft Entra ID, Google Workspace, ADFS, or any SAML or OIDC provider.

When someone signs in through SSO for the first time, ION creates their user profile automatically with the default **User** role. An admin can then grant additional roles. When you remove someone from your identity provider, they can no longer sign in to ION through SSO.

## Before you start

[Claim and verify your email domain](/administration/authentication-settings/manage-domains) before setting up SSO.

Adding SSO after you onboard many users means reconciling existing accounts with your identity provider.

<Warning>
  A misconfigured SSO connection can lock users out of production. If you have a sandbox tenant, validate the connection there before enabling it in production.
</Warning>

## Set up SSO

1. In ION, go to **Settings > Organization > Authentication**.
2. In the **Enterprise SSO** card, click **Configure SSO**, then click **Open SSO Setup Wizard** and follow the steps to connect your identity provider. The wizard walks you through selecting your provider, exchanging SAML or OIDC details, mapping user attributes, and enabling the connection.
3. When the wizard is complete, return to ION and click **Check Status**. Once your IdP connection is live, the card shows **SSO Active** with your provider and connection name.

You can hand the setup wizard link to whoever manages your IdP if you don't have access to configure it yourself.

<Note>
  The wizard shows you the values to enter into your identity provider and collects your provider's metadata or signing certificate directly. You don't need to send anything to First Resonance to complete setup. For more information, see Auth0's [self-service SSO documentation](https://auth0.com/docs/authenticate/enterprise-connections/self-service-SSO).
</Note>

## Troubleshooting

**Check Status shows the connection is not active after completing the wizard.**

The wizard must fully complete and the connection must be enabled before ION can verify it. Return to the wizard and confirm the final step shows the connection as enabled, then try **Check Status** again.

**Users get an error or are redirected back to the ION login page after attempting SSO.**

Confirm your email domain is claimed and verified in ION before enabling SSO. See [Manage domains](/administration/authentication-settings/manage-domains). Unverified domains won't route users to your IdP.

**Attribute mapping errors or users are created without the correct name or email.**

Check the attribute mapping step in the wizard. ION expects the email attribute to be mapped correctly from your IdP. For SAML providers, the email attribute is typically `email` or `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`. Confirm with your IdP's documentation.

**SSO was working and stopped after a certificate rotation.**

If your IdP uses SAML and rotated its signing certificate, ION needs to be updated with the new certificate. See [Rotate your SAML signing certificate](/administration/authentication-settings/rotate-saml-certificate).

## Provider-specific notes

The wizard is the same for every provider and shows you the exact service-provider values to enter into your IdP. These notes cover what's specific to the most common providers.

<AccordionGroup>
  <Accordion title="Okta">
    Create a **SAML 2.0** app integration in Okta and paste in the **Single sign-on URL** and **Audience URI (SP Entity ID)** the wizard displays — they take the form `https://firstresonance.auth0.com/login/callback?connection=<connection_name>` and `urn:auth0:firstresonance:<connection_name>`, with the connection name filled in by the wizard. Okta sends the user's `email` in the SAML assertion by default. When you provide Okta's metadata, ION automatically picks the **signing** certificate if both signing and encryption certificates are listed. Background: [Auth0 community guide to Okta as the SAML IdP](https://community.auth0.com/t/saml-setup-okta-as-idp-and-auth0-as-sp/91164).
  </Accordion>

  <Accordion title="Microsoft Entra ID (Azure AD)">
    Register the application in the Microsoft Entra admin center using the **Reply URL (ACS)** the wizard displays (based on `https://firstresonance.auth0.com/login/callback`), then provide your application's **federation metadata** (URL or XML) back in the wizard. Confirm Entra releases the user's **email** claim. **GovCloud** tenants sign in under `login.microsoftonline.us`. Entra **auto-rolls** its signing certificate and lists multiple certificates during the overlap — relevant when you later [rotate the signing certificate](/administration/authentication-settings/rotate-saml-certificate).
  </Accordion>

  <Accordion title="ADFS">
    Configure the relying party in ADFS following [Auth0's ADFS connection documentation](https://auth0.com/docs/connections/enterprise/adfs), using **Realm Identifier** `urn:auth0:firstresonance` and **Endpoint** `https://firstresonance.auth0.com/login/callback`. Then provide your ADFS **federation metadata URL** (for example, `https://adfs.yourcompany.com/FederationMetadata/2007-06/FederationMetadata.xml`) in the wizard.
  </Accordion>
</AccordionGroup>

## Related

* [Rotate your SAML signing certificate](/administration/authentication-settings/rotate-saml-certificate)
* [Disable SSO](/administration/authentication-settings/disable-sso)
* [Manage domains](/administration/authentication-settings/manage-domains)
