> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dfns.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up Single Sign-On (SSO)

> Configure OIDC-based single sign-on so your team logs in to Dfns through your identity provider (Okta, Auth0, Azure AD, Google Workspace).

export const SupportLink = ({children}) => {
  const url = "https://support.dfns.co";
  return <a href={url}>{children || url}</a>;
};

export const Youtube = props => {
  return <iframe className="w-full aspect-video rounded-xl" src={`https://www.youtube.com/embed/${props.videoId}`} title="YouTube video player" frameBorder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowFullScreen>
      </iframe>;
};

<Youtube videoId="tjLOeUodyPo" />

Dfns SSO supports all OpenId Connect (OIDC) providers. You can configure your organization to use SSO and redirect your users automatically to your SSO when they are trying to log into Dfns.

Note that you still need to invite users using the user management page. Users coming from the SSO without being invited to your Dfns organization won't get access.

<Tip>
  **Prerequisites**

  Before you begin, ensure you have the following:

  * Access to your Dfns account with sufficient permissions.
  * Access to your organization's identity provider (e.g., Okta, Entra, Google Workspace) with sufficient permissions.
</Tip>

<Steps>
  <Step title="Initiate SSO Configuration in Dfns">
    First, you'll need to start the SSO configuration process within your Dfns dashboard to obtain the necessary **Redirect URI**.

    1. Log in to your Dfns dashboard and navigate to **Integrations**, find the OpenID card and click **Configure**.
    2. Check the **Activate SSO for this organization** checkbox.
    3. Copy the **Redirect URL**. You will need this to configure your identity provider. Note that if you are building another frontend for your customer then you can also add their redirect URLs here.

    <Frame>
      <img src="https://mintcdn.com/dfns-6d8c7466/r7ZiW9KML3zicoS0/images/sso1.png?fit=max&auto=format&n=r7ZiW9KML3zicoS0&q=85&s=3a391bb41c014d354706fe8586fea223" alt="" width="3412" height="1792" data-path="images/sso1.png" />
    </Frame>
  </Step>

  <Step title="Configure Your Identity Provider">
    Next, you'll need to configure an application in your identity provider's dashboard. Below are instructions for our most common providers.

    <AccordionGroup>
      <Accordion title="Okta">
        A detailed step-by-step tutorial can be found [here](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm).

        1. **Create a New App Integration:**
           * Log in to your Okta admin dashboard.
           * Navigate to **Applications > Applications** and click **Create App Integration**.
           * Select **OIDC - OpenID Connect** as the sign-in method and **Web Application** as the application type. Click **Next**.

        2. **Configure General Settings:**
           * Give your application a descriptive name, like "Dfns dashboard".
           * In the **Sign-in redirect URIs** field, paste the **Whitelisted Redirect URL** you copied from the Dfns dashboard.
           * Under **Assignments**, choose to limit access to specific groups or allow everyone in your organization.
           * Click **Save**.

        3. **Obtain Client Credentials:**
           * On the **Client Credentials** section, you will find the **Client ID** and **Client Secret** (under **Client Authentication**). Copy these values; you'll need them to finalize the setup in Dfns.
      </Accordion>

      <Accordion title="Entra ID (formerly Azure AD)">
        A detailed step-by-step tutorial can be found [here](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app).

        1. **Register a New Application:**
           * Log in to the Microsoft Entra admin center.
           * Navigate to **Entra ID > Applications > App registrations** and click **New registration**.
           * Enter a name for your application, like "Dfns".
           * Under **Redirect URI**, select **Web** and paste the **Whitelisted Redirect URL** from the Dfns dashboard.
           * Click **Register**.

        2. **Obtain Application (Client) ID:**
           * From the application's **Overview** page, copy the **Application (client) ID**.

        3. **Create a Client Secret:**
           * Navigate to **Certificates & secrets**, in the **Client secrets** tab click **New client secret**.
           * Add a description, choose an expiration period, and click **Add**.
           * Copy the **Value** of the client secret immediately, as it will not be shown again.

        4. **Obtain the Configuration URL:**
           * From the application's **Overview** page, click the **Endpoints** tab.
           * Copy the **OpenID Connect metadata document** URL. This is your OpenID Configuration URL.
      </Accordion>

      <Accordion title="Google Workspace">
        A detailed step-by-step tutorial can be found [here](https://developers.google.com/identity/openid-connect/openid-connect#appsetup).

        1. **Create a New Project (or use an existing one):**
           * Log in to the Google Cloud Console.
           * Create a new project or select an existing one.

        2. **Configure OAuth Consent Screen:**
           * Navigate to **APIs & Services > OAuth consent screen**.
           * Choose **Internal** as the user type and click **Create**.
           * Fill in the required app information, such as the app name and user support email.
           * Add the necessary scopes: `openid`, `email`, and `profile`.

        3. **Create OAuth Client ID:**
           * Go to **APIs & Services > Credentials** and click **Create Credentials > OAuth client ID**.
           * Select **Web application** as the application type.
           * Under **Authorized redirect URIs**, click **Add URI** and paste the **Whitelisted Redirect URL** from the Dfns dashboard.
           * Click **Create**.

        4. **Obtain Client ID and Client Secret:**
           * A pop-up will appear with your **Client ID** and **Client Secret**. Copy these values.
      </Accordion>
    </AccordionGroup>
  </Step>

  <Step title="Finalize SSO Configuration in Dfns">
    Now that you have the required information from your identity provider, return to the Dfns dashboard to complete the setup.

    1. Go back to the **Single Sign-On (SSO)** configuration page in Dfns.
    2. Enter the following information you obtained from your identity provider:
       * **OpenID Configuration URL:** the configuration URL (for Okta and Entra ID) or issuer URL (for other OIDC providers). For example:
         * Okta: `https://{tenant-domain}/.well-known/openid-configuration`
         * Google: `https://accounts.google.com/.well-known/openid-configuration`
         * Entra: `https://login.microsoftonline.com/xxxx/v2.0/.well-known/openid-configuration`
       * **Client ID**
       * **Client Secret**
    3. Click **Save**.
  </Step>

  <Step title="Invite users with SSO">
    Now head to the Users page and **Invite a new user**. In the form you can check "require SSO" to force the user to go through the SSO to log into Dfns.

    <Frame>
      <img src="https://mintcdn.com/dfns-6d8c7466/r7ZiW9KML3zicoS0/images/sso3.png?fit=max&auto=format&n=r7ZiW9KML3zicoS0&q=85&s=818fc5a7b0c4ec409e00dc19ef02b17c" alt="" width="3412" height="1792" data-path="images/sso3.png" />
    </Frame>
  </Step>

  <Step title="Require SSO for existing users">
    Now head to the Users page and click the menu behind a user, and enable SSO. Those users will have to go through the SSO in order to log into Dfns.

    <Note>
      For this step you need the `Auth:Users:Update` [permission](/core-concepts/roles-and-permissions).
    </Note>

    <Frame>
      <img src="https://mintcdn.com/dfns-6d8c7466/r7ZiW9KML3zicoS0/images/sso2.png?fit=max&auto=format&n=r7ZiW9KML3zicoS0&q=85&s=4ebf10b930e8405a8c392e1bd6e7452b" alt="" width="3412" height="1792" data-path="images/sso2.png" />
    </Frame>
  </Step>

  <Step title="Log users in through SSO">
    Once SSO is set up for a user, they will always be redirected to your identity log in page:

    * **Default Dfns dashboard login `https://app.dfns.io`:** users will be required to sign in with their 🔑 passkey, then be redirected to the SSO page.
    * **Direct URL to your SSO:** user will log in and will be redirected to the Dfns dashboard automatically. They won't need to use their passkey.
    * **Dfns SSO redirection URL `https://app.dfns.io/sso?orgId=or-*****&clientId=yourSSOclientId`:** users will be redirected to your SSO automatically, without requiring to use their passkey.
  </Step>
</Steps>

<Check>Your SSO integration is now complete! Your team members can now log in to Dfns using their credentials from your identity provider.</Check>

For issues, contact our <SupportLink>Support Team</SupportLink>.