> ## Documentation Index
> Fetch the complete documentation index at: https://docs.charlemagnelabs.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO

> Configure Single Sign-On with SAML 2.0 or OIDC for your organization

<Note>
  SSO configuration is available on the **Enterprise** plan.
</Note>

Charley supports Single Sign-On via **SAML 2.0** and **OIDC** (OpenID Connect), letting your team authenticate through your existing identity provider (IdP).

## Supported Identity Providers

* Okta
* Microsoft Entra ID (Azure AD)
* Google Workspace
* Any SAML 2.0 or OIDC-compliant provider

## SAML 2.0 Setup

<Steps>
  <Step title="Create a SAML application in your IdP">
    In your identity provider, create a new SAML 2.0 application. You'll need the following Charley values:

    | Field          | Value                                             |
    | -------------- | ------------------------------------------------- |
    | ACS URL        | `https://your-tenant.us.auth0.com/login/callback` |
    | Entity ID      | `urn:auth0:charley:<your-org-slug>`               |
    | Name ID format | Email address                                     |
  </Step>

  <Step title="Download the IdP metadata">
    After creating the app in your IdP, download the **SAML metadata XML** file.
  </Step>

  <Step title="Enter SSO settings in Charley">
    Go to **Settings** → **SSO** in the dashboard and enter:

    * **IdP Metadata URL** or paste the XML directly
    * **Attribute mapping** for email and display name
  </Step>

  <Step title="Test the connection">
    Click **Test SSO** to verify the configuration with a test login before enforcing SSO for all members.
  </Step>
</Steps>

## OIDC Setup

<Steps>
  <Step title="Create an OIDC application in your IdP">
    Register a new OIDC/OAuth2 application. Set the **Redirect URI** to:

    ```
    https://your-tenant.us.auth0.com/login/callback
    ```
  </Step>

  <Step title="Gather your credentials">
    Note the **Client ID**, **Client Secret**, and **Issuer URL** from your IdP.
  </Step>

  <Step title="Enter OIDC settings in Charley">
    Go to **Settings** → **SSO** and fill in:

    * **Issuer URL**
    * **Client ID**
    * **Client Secret**
  </Step>
</Steps>

## Enforcing SSO

Once SSO is configured and tested, you can **enforce SSO** for your organization. When enforced:

* Members must authenticate via the IdP — username/password login is blocked.
* New members provisioned by the IdP are automatically added to the organization.

<Warning>
  Enforce SSO only after confirming at least one admin can authenticate via the IdP. Locking yourself out requires contacting Charley support.
</Warning>
