# 🔐 SAML Single Sign-On (SSO)

Our application supports **SAML-based Single Sign-On (SSO)** to help organizations centrally manage user authentication through their Identity Provider (IdP), such as Okta, Azure AD, or Google Workspace.

### ⚠️ Important Note About Login Options

By default, we use **Google OAuth** to authenticate users. However, **once SAML is enabled**, **Google Sign-In will be disabled**. All users in your organization will be required to log in using your configured **SAML Identity Provider**.

### 1. Enable SAML in Your Admin Console

In your admin settings:

* Navigate to the **Authentication** section.
* Enable the **SAML Enabled** toggle.
* Fill the **SAML Metadata** of your Identity Provider.
* Save the configuration.

> 📌 Your metadata XML typically starts with:
>
> ```xml
> <?xml version="1.0" encoding="UTF-8"?>
> <md:EntityDescriptor entityID="http://www.okta.com/..."
> ```

<figure><img src="https://803372693-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlIfwCAQgoIa97JJYtlXQ%2Fuploads%2FvxJgbO01rSeimWb0KKzL%2FScreenshot%202025-05-29%20at%2018.01.29.png?alt=media&#x26;token=c86b28ec-edbb-4c3a-8e7a-050360a0f364" alt=""><figcaption><p>SAML Metadata is required</p></figcaption></figure>

### 2. Obtain our Service Provider (SP) Metadata

You will need the service metadata to configure our service within your Identity Provider. To obtain it, on the same page, click on the **Service Provider Metadata** button. You should see a modal with the following information

* **Entity ID**
* **ACS (Assertion Consumer Service) URL**
* **NameID Format**

<figure><img src="https://803372693-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlIfwCAQgoIa97JJYtlXQ%2Fuploads%2ForSJJ8EwJE6UrAoviEs6%2FScreenshot%202025-05-29%20at%2018.04.26.png?alt=media&#x26;token=18489e4a-6fac-4b3c-80c4-7122eb3efe9f" alt=""><figcaption><p>The values here are an example from our sandbox environment</p></figcaption></figure>

Use this information to configure a new SAML application in your IdP.

### ✅ Finalize and Test

Once configured:

* Test logging in via your Identity Provider. To do so, click on **Sign in with SSO** button.
  * Sign in with Google will not work anymore, unless you disable SAML.
  * SSO must be used on the Web version and on the Admin too.
* Ensure user accounts match by email address (as per NameID format).

If you encounter any issues, feel free to reach out to our support team for assistance.

<figure><img src="https://803372693-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlIfwCAQgoIa97JJYtlXQ%2Fuploads%2FDlXxcr5dgkWq9dKHHm7g%2FScreenshot%202025-05-29%20at%2018.09.16.png?alt=media&#x26;token=8b5b2f7e-a1ab-48fa-a072-b27b51603e44" alt=""><figcaption><p>Buttons for login</p></figcaption></figure>

### 👥 Optional: SCIM for User Provisioning

We also support **SCIM (System for Cross-domain Identity Management)** to allow automated provisioning and deprovisioning of users from your Identity Provider.

With SCIM, you can:

* Automatically **create users** in our platform when they're assigned access in your IdP.
* Automatically **deactivate users** when they're unassigned or removed in your IdP.
* Sync user attributes like name, email, and groups.

To enable SCIM:

1. For now we only support **Bearer Token** authentication that must be configured on the Admin.
2. The base be obtained by cliking on the SCIM Endpoint button.
3. Configure your Identity Provider (Okta, Azure AD, etc.) with the provided SCIM endpoint and token.
4. Set up attribute mappings as needed.

> 📌 SCIM is optional but highly recommended for teams managing users at scale.

<figure><img src="https://803372693-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlIfwCAQgoIa97JJYtlXQ%2Fuploads%2FvqIF4Xgp496xzWBuzvgy%2FScreenshot%202025-05-29%20at%2018.16.03.png?alt=media&#x26;token=b85634a0-52d8-4c23-8e66-e8ceacea18ac" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.arcwise.app/arcwise-setup/saml-single-sign-on-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.