> ## Documentation Index
> Fetch the complete documentation index at: https://zuperinc-section23.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign On (SAML)

Single Sign-On (SSO) in Zuper allows your team to securely access the platform using a single set of credentials managed by your Identity Provider (IdP). This streamlines the login process, enhances security, and improves user experience by eliminating the need for multiple logins.

<Frame>
  **Navigation**: *Settings -> Security - > Single Sign On (SAML)*
</Frame>

Before configuring SSO in Zuper, ensure you have the following:

* Admin access to Zuper.
* Admin access to your Identity Provider (IdP), such as Okta, Azure AD,
  OneLogin, Auth0, or another SAML-compliant provider.
* The IdP’s SAML metadata or specific configuration details, including:

a. Entity ID provided by IdP

b. SAML SSO URL

c. Security Certificate (public key or X.509 certificate)

d. (Optional) Logout URL for Single Logout (SLO)

<Frame>
  ### **Navigation**: *Settings --> Security -->SSO Settings*
</Frame>

<img src="https://mintcdn.com/zuperinc-section23/HaYVJQyRqHRtd36c/images/Sec1.png?fit=max&auto=format&n=HaYVJQyRqHRtd36c&q=85&s=92b90fe86cf22689141e666d04ed3e1b" alt="Sec1 Pn" width="1894" height="866" data-path="images/Sec1.png" />

a. Entity ID provided by IdP (**Mandatory**) - Enter the unique identifier for your IdP (Identity Provider).

* Azure AD: The Microsoft Entra Identifier is located in the Microsoft Entra ID portal under "Enterprise Applications" > \[Your Zuper App] > "**Single Sign-On**" > "SAML. "
* Okta: In the Okta admin dashboard, the Issuer URI is under the SAML app settings (e.g., [https://your-org.okta.com](https://your-org.okta.com)).
* Other IdPs: Check the IdP’s SAML metadata XML for the EntityDescriptor entityID="..." value.

b. SAML SSO URL (**Mandatory**) – Enter the URL where Zuper will send SAML authentication requests. This is the IdP’s Single Sign-On endpoint.

* Azure AD: In the same SAML settings, it’s the Login URL (e.g.,[https://login.microsoftonline.com/\{tenant-id}/saml2](https://login.microsoftonline.com/\{tenant-id}/saml2)).
* Okta: In the Okta SAML app settings, it’s the Single Sign-On URL.
* Other IdPs: In the SAML metadata XML, look for the SingleSignOnService element with a Location attribute (e.g., SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="[https://idp.example.com/saml/sso"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\>](https://idp.example.com/saml/sso"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\>)).

c. Choose your Identity Provider (**Mandatory**):

* Select your IdP from the list: Okta, OneLogin, Auth0, Others, or a custom provider.
* This helps Zuper optimize the SSO flow for your IdP.

d. Choose Security Certificate (**Mandatory**):

* Upload the public key certificate (X.509 format) provided by your IdP.

  Where to find it:
* Download the certificate from your IdP’s SAML settings (often in the metadata or as a separate .cer file).
* In the metadata XML, it’s within the X509Certificate tag.
* Click Choose File and upload the certificate. Ensure it says “**File chosen**” after uploading.

Logout URL (Optional):

* If your IdP supports Single Logout (SLO), enter the IdP’s logout URL here.
* This allows users to log out of both Zuper and the IdP simultaneously.

  Where to find it:
* In the IdP’s SAML metadata, look for the SingleLogoutService element (e.g., SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="[https://idp.example.com/saml/logout](https://idp.example.com/saml/logout)").

Mandate SSO (Optional):

* Check this box to enforce SSO for all users. If unchecked, users can still log in with their Zuper credentials as a fallback.

<img src="https://mintcdn.com/zuperinc-section23/HaYVJQyRqHRtd36c/images/Sec2.png?fit=max&auto=format&n=HaYVJQyRqHRtd36c&q=85&s=d52c954d16ee97cd1e64bec269460b62" alt="Sec2 Pn" width="1920" height="878" data-path="images/Sec2.png" />

## Configure Zuper in your Identity provider:

* Create a SAML App:

  In your IdP, create a new SAML application for Zuper. o Example: In Okta, go to “**Applications**”  “**Create App Integration**” “**SAML 2.0**.”
* Enter Zuper’s Details:

  o Single Sign-On URL (ACS URL): Enter the sign-on URL. o Audience URI (SP Entity ID): Enter the SP entity ID.

  o Default Relay State (optional): Leave blank unless specified by Zuper.

  o Name ID Format: Typically Email Address (check Zuper’s requirements).

  o Application Username: Map to the user’s email or a unique identifier.
* Attribute Statements (optional): o Map user attributes (e.g., email, first name, last name) as Zuper requires. Refer to Zuper’s documentation for specific attribute mappings.
* Download IdP Metadata: o After configuring, download the IdP’s SAML metadata or note the Entity ID, SSO URL, and certificate for use in Step 3.

## Test the SSO Configuration

1. Save your settings in Zuper by clicking the Save button.
2. Log out of Zuper and attempt to log in using the SSO option. o You should be redirected to your IdP’s login page. o After successful authentication, you’ll be redirected back to Zuper and logged in.

## Troubleshooting Tips

* Error: “Invalid SAML Response”:
  o Ensure the Entity ID and SSO URL match exactly between Zuper and the IdP.
  o Verify the certificate is correct and not expired.
* Users Not Redirected:
  o Check that the ACS URL in the IdP matches Zuper’s provided ACS URL.
* Login Fails After Redirect:
  o Confirm that the user’s email in the IdP matches their Zuper account email.
  o Check attribute mappings in the IdP.

The Single Sign-On (SSO) feature in Zuper is a seamless and secure way to streamline your authentication process. With SSO, Zuper empowers users to access the platform and connected applications using a single set of credentials, eliminating the need for multiple logins.