Enterprise single sign-on lets users authenticate through their organization's identity provider (IdP). Authdog supports SAML 2.0 and OpenID Connect (OIDC), then routes users to an active connection by configured email domain.

First-class choices include Okta and JumpCloud over SAML; Microsoft Entra ID and BeyondTrust over OIDC; and Ping Identity over SAML in the current provider catalog. Generic **SAML 2.0** and **OpenID Connect** connectors are also available.

## Create a connection

In the [Authdog console](https://console.authdog.com):

1. Select the target project and environment.
2. Open **Authentication → Providers**.
3. Filter to **Enterprise**.
4. Choose the vendor or generic protocol connector.
5. Copy Authdog's displayed service-provider values into the IdP.
6. Enter the IdP values in Authdog.
7. Add the email domains that should discover this connection.
8. Save, then use **Test** before inviting users.

Enterprise providers can have multiple connections in one environment. Give each a clear connection name and non-overlapping discovery domains.

## Configure SAML

Authdog displays:

- SP-initiated sign-in URL
- ACS / Reply URL
- SP Entity ID / audience
- Downloadable SP metadata XML

Configure those exact values in the IdP. Then provide Authdog with:

- IdP SSO URL
- IdP X.509 signing certificate
- Connection name

You can import IdP metadata from a URL or paste metadata XML. Import fills available SSO URL, certificate, entity ID, and logout URL fields; it runs only when you select **Fetch** or **Parse & autofill**.

Optional controls include logout, login hints, signed requests, protocol binding, and request template. Prefer RSA-SHA256 and SHA-256 when request signing is required; SHA-1 options exist only for compatibility with older IdPs.

## Configure OIDC

Authdog displays the redirect / callback URL to register at the IdP. For an external provider, enter:

- Connection name
- OIDC discovery URL
- Client ID
- Client secret

The current first-class OIDC vendors use this external-provider configuration. Authdog also supports an internal mode that selects an OIDC client already registered in the environment.

Use the exact discovery document URL and callback URL. A base issuer URL that does not serve the expected discovery document will not configure the connection correctly.

## Route users by email domain

In **Email domains (for SSO discovery)**, enter one or more domains separated by commas, for example:

```text
acme.com, eu.acme.com
```

An entry matches the exact email domain and its subdomains. For example, `acme.com` also matches `eu.acme.com`. Only active enterprise connections participate in discovery.

Avoid overlapping entries across connections. Resolution uses the first active matching connection returned for the environment, so overlaps can route users unpredictably.

## Test before rollout

1. Use the connection's **Test** action.
2. Test SP-initiated sign-in.
3. Confirm the IdP sends the expected stable subject and email claims.
4. Exercise MFA and conditional-access rules at the IdP.
5. Test logout only if you enabled it.
6. Test through the [Account Portal](/docs/account-portal) or your embedded sign-in UI with a discovery-domain address.
7. Repeat in production with production URLs and credentials.

## Security guidance

- Pin SAML trust to the IdP certificate supplied through metadata or secure administrator exchange.
- Track SAML certificate expiry and rotate before the IdP removes the old certificate.
- Use HTTPS discovery, SSO, logout, and callback URLs.
- Store OIDC client secrets only in Authdog and the IdP; never browser code.
- Keep request signing on SHA-256 algorithms unless an IdP strictly requires legacy SHA-1.
- Verify organization administrators before allowing self-service setup through the [Admin Portal](/docs/admin-portal).
- Keep a recovery sign-in path while testing policy changes so a bad IdP configuration does not lock out operators.

## Operational notes

- Changing a [custom domain](/docs/custom-domains) can change the callback URL. Update the IdP allowlist with the URL currently shown in the connection form.
- Metadata import does not automatically refresh later. Review IdP metadata and certificates during rotations.
- Removing a connection schedules it for deletion; verify another sign-in method works first.
- Missing SAML SSO URL or certificate is rejected. OIDC connections require client credentials and a discovery/issuer URL.
- Copy connection ID from **Configured** when support or audit work needs an unambiguous identifier.

## Related

- [Admin Portal](/docs/admin-portal) — customer-admin self-service setup links
- [Account Portal](/docs/account-portal) — end-user hosted sign-in
- [Authentication](/docs/concepts/authentication) — connection and session model
- [Organizations](/docs/concepts/organizations) — customer organization model
- [Provisioning](/docs/concepts/provisioning) — SCIM and directory lifecycle
- [Custom domains](/docs/custom-domains) — callback hostname setup
- [Security](/docs/security) — session and federation security
