Skip to main content

Configure SSO

Enable Single Sign-On (SSO) to streamline access across your services for enterprise users. This guide outlines the steps for setting up SSO using the Logto console.

Enabling SSO in sign-in experienceโ€‹

  1. Enable enterprise SSO: Go to the Logto console, and navigate to โ€œSign-in experience > Sign-in and Sign-upโ€. Here, locate and enable the โ€œEnterprise SSOโ€ toggle. This action will display a โ€œUse Single Sign-Onโ€ button in the right preview.

    Once enabled, enterprise users with SSO-enabled email domains can access your services using their enterprise identity providers (IdPs). This is achieved through email domain redirection. Read the next doc to learn more about the SSO experience.

  2. Save changes: Ensure to save your settings to activate these changes.

Sign-in experience_Enable enterprise SSO.webp

Configuring enterprise connectorsโ€‹

Enterprise connectors are crucial for enabling SSO for your different enterprise clients. These connectors facilitate the authentication process between your service and the enterprise IdPs.

Step 1: Create a new enterprise connectorโ€‹

  1. Access Enterprise SSO section: In the Logto Console, select โ€œEnterprise SSOโ€.
  2. Add connector: Click โ€œAdd enterprise connectorโ€œ and choose a suitable one. Preferred options include built-in connectors like Okta, Azure AD, and Google Workspace. Alternatively, select SAML or OIDC for other IdPs.
  3. Name and Create: Assign a unique name to the connector (e.g., โ€œIdP-name for Organization-nameโ€) and click โ€œCreateโ€. Then you will access the configuration pages of this connector.

Create enterprise connector.webp

Step 2: Configure connection with IdPโ€‹

In the โ€œConnectionโ€ tab, set up the connection between your service and the chosen IdP. For assistance, refer to the โ€œConnection guideโ€ or the documentation specific to each IdP in below. The system will auto-test the connection upon saving. Incorrect configurations will not be saved.

  • SAML
  • OIDC
  • Azure AD
  • Google workspace
  • Okta

Configure SSO connection.webp

Step 3: Customize SSO experience and email domainโ€‹

In the โ€œExperienceโ€ tab:

  1. Set email domain: Define the enterprise email domain to direct users to their respective IdPs.
  2. User profile sync: Choose how to sync user profiles. Options include syncing only at registration or at every sign-in. Note: Frequent syncing might overwrite user data in your application.
  3. Display customization: Optionally, customize the display name and logo for the connector. This is useful when multiple connectors are associated with a single email domain.

Configure SSO experience

caution

An enterprise connector becomes active in the authentication flow after completing the โ€œConnectionโ€ settings and adding the โ€œEnterprise email domainโ€.