# Single Sign-On (SAML SSO) SSO is a secure and user-friendly way of accessing our platform using your organization's identity.

{% hint style="warning" %} Single Sign-On (SAML SSO) is only available in the Enterprise pack or higher. Want to upgrade? [Get in touch](/support/get-in-touch.md). {% endhint %} Our SSO solution is compliant with SAML 2.0. This allows you to configure a wide range of IAM systems like: * Azure Active Directory * Okta * OneLogin * Ping Identity ## Set up your SAML SSO ### With Azure AD We'll guide you through the entire process of setting up SAML SSO through Azure Active Directory in a few steps. {% hint style="info" %} You can also find out more about the setup process on the [Azure AD documentation pages](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso). {% endhint %} #### Create an app with users To create an Azure Active Directory app: 1. Go to the Azure portal: [https://portal.azure.com](https://portal.azure.com/#home). 2. Open the Azure Active Directory service. ![Open the Azure Active Directory service in your Azure portal.](/files/-McOYh9Fzu-KSitvmLTL) 3. Follow the **Enterprise applications** menu entry. ![](/files/-McO_cqHd7m-mgjgRg1H) 4. Create a new application by pressing the **Create your own application** button. 5. A form will appear. Give the new application a fitting name. E.g. here, we called it 'Chatlayer'. 6. Select the **Non-gallery** option. ![Create your own Azure application.](/files/-McOaBG_4biSKvHK1z9r) 7. Assign users to your app following the [Microsoft documentation](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-assign-users). #### Configure your SAML protocol SAML (Security Assertion Markup Language) is a protocol for secure authentifications to applications. 1. Open your [Azure Portal](< https://portal.azure.com>). 2. Open the **Single sign-on** tab. 3. Select **SAML**. ![Add an SAML method for SSO.](/files/-McOcrj6ZYR1MeZk1-tk) 4. A configuration window in 5 steps opens. 5. Fill in the following fields to start: * For **Identifier (Entity ID)**, paste * EU: `https://auth.chatlayer.ai/auth/realms/Chatlayer` * US: `https://auth.prod.us-east4.gcp.chatlayer.ai/auth/realms/Chatlayer` * Asia: `https://auth.prod.asia-south1.gcp.chatlayer.ai/auth/realms/Chatlayer` * For **User Attributes & Claims:** keep the default values.

6. Open another page to open [Chatlayer](https://app.chatlayer.ai/). 7. Under your **Settings** tab, click on **Team**.

8. Turn on the **Enable SAML authentification** toggle.

9. Fields will unroll underneath. Copy the link under **Assertion consumer service URL (ACS)** by clicking on the copy/paste icon to the right.

Copy the Assertion consumer service URL to enable SAML.

10. Go back to your Azure portal. 11. Under **Assertion Consumer Service URL,** paste the URL from Chatlayer. 12. Under **SAML Signing Certificate**, click on **Download** to download the certificate.

13. Open the certificate on the side with a text editor. 14. From the text editor, copy the value of the certificate. 15. Back to Chatlayer, paste this value under **Public certificate**. 16. Back to Azure: under **Set up Chatlayer**, copy and paste the Azure **Login URL** under the **Sign on URL** on Chatlayer. 17. Do the same for the identifier: copy and paste the **Azure AD Identifier** under the **Issuer** field on Chatlayer.

Copy and paste the Login and Identifier from Azure to Chatlayer.

18. On Chatlayer, you should have the following fields filled: ![Copy and paste the needed fields on Chatlayer.](/files/-McSzvOKiXTyP9N8yf3l) 19. **Save** your changes on Chatlayer. 20. **Save** your changes on Azure AD. It is now possible for members of your AD organization to login to the Chatlayer application. {% hint style="warning" %} We do not currently offer role-mapping of Azure AD roles to Chatlayer roles. You can find out more about roles and access control on our [user management page](https://docs.chatlayer.ai/bot-answers/user-management). {% endhint %} ### With Okta To set up SAML SSO through Okta: 1. Create a new app integration in Okta. 2. Select SAML 2.0. ![Create an app with SAML 2.0 on Okta.](/files/nyCiuFbDUnU1NjieVLZk) 3. Give the newly created SAML 2.0 app a name. ![](/files/h624i2kf9fVZkjXnUgNM) 4. Fill in the Single sign on URL as retrieved from Chatlayer (Assertion consumer service URL) and the Audience URI: 1. EU: `https://auth.chatlayer.ai/auth/realms/Chatlayer` 2. US: `https://auth.prod.us-east4.gcp.chatlayer.ai/auth/realms/Chatlayer` 3. Asia: `https://auth.prod.asia-south1.gcp.chatlayer.ai/auth/realms/Chatlayer` ![](/files/XjBpO5jHHgX2tr6xxdjG) 5. Select the following settings in the 'Feedback' step of the Okta configuration: ![](/files/uZ8PwOCrEtlSDui3hyze) ## Require SAML SSO for all At the bottom of your **Team** page, under your **SAML single sign-on** toggle, you have the option to turn on a **Require SAML SSO authentification for all members**.

If you turn on this toggle, the only people that will have access to the bot are the ones that have an SSO. {% hint style="success" %} Therefore, the toggles for SSO offer two options: * Either the first toggle is on, and the second toggle isn't: users that have SSO will be able to login to the bot and others just with their own credentials. * Or the two toggles are on: only users that have SSO will be able to login to your bot. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.chatlayer.ai/support/access-control/single-sign-on-sso-saml.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.