> ## Documentation Index
> Fetch the complete documentation index at: https://www.osohq.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SSO) Configuration

> Configure OpenID Connect (OIDC) authentication for your Oso Cloud organization with Okta or Microsoft Entra.

## Prerequisites

You need:

* **Growth plan** subscription
* **Admin access** to your identity provider (Okta or Microsoft Entra)
* Identity provider that supports **OpenID Connect Discovery**

<Warning>Contact your Oso Cloud team before starting. Some configuration steps require team member assistance.</Warning>

## Configure SSO with Okta

### Create OIDC Application

1. **Log into Okta Admin Console**

2. **Navigate to Applications** → **Create App Integration**

3. **Select integration settings:**
   * Sign-on method: **OIDC - OpenID Connect**
   * Application type: **Web Application**

4. **Configure application settings:**
   * Check **Authorization Code** in Core grants (no other grants needed)
   * **Sign-in redirect URI:** `https://ui.osohq.com/web/oauth/oidc/callback`
   * **Logout redirect URI:** `https://ui.osohq.com/web/logout`

5. **Set user assignments:**

   Choose which users can access Oso Cloud through this application. Users still need manual invites to your Oso Cloud organization.

6. **Click Save**

### Optional: Configure Identity Provider (IdP) Initiated Login

Enable users to launch Oso Cloud directly from Okta:

1. **Navigate to General tab** of your created application
2. **Configure login settings:**
   * Login initiated by: **Either Okta or app**
   * Initiate login URI: `https://ui.osohq.com/web/oauth/oidc/CUSTOMER_ID/login/`

Replace `CUSTOMER_ID` with your 3-5 character identifier.

### Gather Required Information

**Copy these values** from your Okta application's General tab:

* **Client ID**
* **Client Secret**
* **OIDC Discovery URL** (example: `https://trial-8895628.okta.com/.well-known/openid-configuration`)

**Choose a Customer ID:** Create a short 3-5 character identifier (example: `acme`).

Send these to your Oso Cloud contact for final setup.

## Configure SSO with Microsoft Entra

### Create Application Registration

1. **Log into Azure portal**

2. **Navigate to Microsoft Entra ID** → **Manage** → **App Registrations**

3. **Click New registration**

4. **Configure registration:**
   * Provide application name
   * Select supported account types (single or multi-tenant)
   * Redirect URI platform: **Web**
   * Callback URL: `https://ui.osohq.com/web/oauth/oidc/callback`

5. **Click Register**

### Configure Application

1. **Generate client secret:**
   * Navigate to **Certificates & Secrets**
   * Create new client secret

2. **Copy required values:**
   * **Client ID** (from Overview tab)
   * **Client Secret** (from step 1)
   * **OpenID Connect metadata URL** (from Endpoints)

**Choose a Customer ID:** Create a short 3-5 character identifier (example: `acme`).

Send these to your Oso Cloud contact for final setup.

## Sign In with SSO

1. **Navigate to** [https://ui.osohq.com/](https://ui.osohq.com/)
2. **Select "Log in with SSO"**
3. **Enter your Customer ID** (provided by your team or chosen during setup)
4. **Click Continue**

Oso Cloud redirects you to your identity provider for authentication, then returns you to complete the sign-in process.

## Important Limitations

* **Manual user invites required.** SSO does not auto add users.
* **No SCIM/JIT provisioning.**
* **Org migrations.** Re-invite all users with corporate emails; SSO and non-SSO logins are separate accounts.
* **Non-SSO access remains.** Remove users manually if enforcing SSO-only.