Your organization
Access management
Single Sign-on
7min
this feature is available to enterprise customers single sign on (sso) allows you to use your own provider of user account management, authentication, and authorization services to register and log in to {{product name}} {{product name}} supports the following protocols open id connect (oidc) saml 2 {{product name}} supports the following identity providers (idps) okta ( okta saml docid\ q0sypmv8 3mmt nikfl2k ) microsoft ad ( ms azure ad saml docid\ lefn8ytgnmloiwhcpaeum ms azure ad oidc docid\ vh6038lspdoxxxc u4vmg ) google ( google saml docid\ c2tfqhgm9uqannl5dwzhk ) you configure sso for each of your organizations separately you can prevent your organization members from accidentally creating their own self service accounts by domain claim docid\ sox7tiacddv9bdkvh5kj2 after you set up sso, claim your email domain so {{product name}} can recognize your new users any new user who signs in with your claimed email domain gets a prompt to use sso enable single sign on using open id connect (oidc) and saml 2 0 double check your sso configuration before you click save on the sso settings page when you click save , {{product name}} enables sso with the settings you provided you will be logged out immediately you won't be able to log in with your {{product name}} credentials anymore click organization in the left sidebar click the sso tab click sso configuration enter a namespace you can enter any text that describes your organization users will need to enter your organization's namespace on the sso login page namespace must include only lowercase characters and dashes an underscore may lead to errors select an sso type fill in the protocol specific information as described in either the single sign on docid\ ku5mtx5grj5dbqawsjlk0 or single sign on docid\ ku5mtx5grj5dbqawsjlk0 section of this article under team provisioning for new user , select which teams new users who log in will become members of you can choose to not add new users to any team click save {{product name}} enables sso with the settings you provided and logs you out immediately you can now log in with your sso provider credentials at the same time, you receive an email with a one time link, which you can click to disable sso when logging in using sso for the first time, you must use an account that is the owner of the organization and has the same email address as the account that you used to configure sso make sure that you assign the same email address to the user in your identity provider open id connect (oauth 2 0 settings) the following fields appear once you select oauth 2 0 from the sso menu field required description user information url required url obtained from your identity provider example https //example com/oauth2/v1/userinfo client id required obtained from your identity provider sometimes called application id token url required url obtained from your identity provider example https //example com/oauth2/v1/token login scopes optional parameters used when accessing your identity provider scopes separator optional the character used between scopes, such as a space or a comma if your separator is a space, use the spacebar on your keyboard authorize url required url obtained from your identity provider example https //example com/oauth2/v1/authorize client secret required obtained from your identity provider iml resolve required because both make and your identity provider use attributes such as username and email, you need to single sign on docid\ ku5mtx5grj5dbqawsjlk0 for open id connect {"id" "{{sub}}","email" "{{email}}","name" "{{name}}"} redirect url optional the location where the identity provider sends the user once successfully authorized and granted access must be unique to your application/instance saml 2 0 settings the following fields appear once you select saml 2 0 from the sso menu field required description service provider certificate required make provides certificates for you click the down arrow to copy or download a pem file of your certificate at least one certificate must be active if there is no active certificate, click activate for more information, see our article on saml certificate management docid 4wjm5akj6vmc7a ga63ay identity provider certificate required an x 509 certificate created and stored by your idp, for example, google, okta, or microsoft azure directory you can enter this information in the following ways copy and paste from your idp's ui copy and paste from your idp's metadata xml file extract from any of the following p12 pfx pem idp login url required also called an authorization url the idp login url is available from your idp, for example, google, or okta the idp metadata typically contains this information in xml the idp metadata is usually downloadable from your identity provider idp logout url optional a url created by your idp to enable single log out (slo) leave this field empty to disable slo login iml resolve required because both make and your identity provider use attributes such as username and email, you need to single sign on docid\ ku5mtx5grj5dbqawsjlk0 redirect url optional the location where the identity provider sends the user once successfully authorized and granted access must be unique to your application/instance allow unencrypted assertions optional your idp may not support saml 2 0 assertions with encryption check with your idp to determine whether you need to enable this option allow unsigned responses optional your idp may not support a signed saml 2 0 response check with your idp to determine whether you need to enable this option sign requests optional your idp may require a signed saml 2 0 response check with your idp to determine whether you need to enable this option audience optional optional field to define the intended target typically this is a url but can also be formatted as any string of data audience uri optional this read only field provides you with the path for metadata xml file this information might be needed to set up the saml settings on the sso provider side saml certificate rotation for more information on rotating your service provider certificate, see our article on saml certificate management docid 4wjm5akj6vmc7a ga63ay create and enter login iml resolve to support a broad choice of identity providers (idps), {{product name}} lets you map values related to identifying users the iml resolve maps the values from your idp to {{product name}} 's internal values by using iml, a javascript based function notation your iml resolve must be specific to your idp you must map the following properties property description email you can map this to any valid email aliases and alternate email suffixes can create problems be sure to map the most appropriate email in your iml resolve name used as the user's name in the application you can reuse email for this property if left blank, creates a user without a name that must be updated later id external user id can be an integer or string but must be mapped to an identifier in the following example, the resolve maps the following values make your idp email user attribute email name user attributes firstname and user attributes last concatenated together id user name id javascript { "email" "{{get(user attributes email, 1)}}", "name" "{{get(user attributes firstname, 1)}} {{get(user attributes last}} "id" "{{user name id}}" } log in using sso when {{product name}} is configured to use sso, users don't use the default sign in form instead, they use the dedicated sso sign in options go to https //www make com/en/login click sign in with sso enter the namespace you chose for your organization log in using your identity provider and consent to {{product name}} 's access to your user data the user is now logged in if the user was not assigned to your organization before, the system creates a new user account for them and assigns them to the selected default team if a user with the same email address already existed in the organization before you configure sso, they will not have access to the organization's data to solve this, delete the user from the organization and ask them to log in again using sso