> ## Documentation Index
> Fetch the complete documentation index at: https://docs.royaltyport.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SSO)

> Configure SAML Single Sign-On for your organization

## Overview

Single Sign-On (SSO) allows your team members to authenticate using your organization's identity provider (IdP). This provides centralized authentication management and enhanced security.

## What is SSO?

Single Sign-On allows users to:

| Benefit                      | Description                                |
| ---------------------------- | ------------------------------------------ |
| **One Password**             | Use existing corporate credentials         |
| **Centralized Access**       | IT controls access from one place          |
| **Automatic Provisioning**   | Users created automatically on first login |
| **Automatic Deprovisioning** | Access revoked when removed from IdP       |
| **Enhanced Security**        | Leverage your IdP's security features      |

## Supported Identity Providers

Royaltyport supports a wide range of identity providers:

<AccordionGroup>
  <Accordion title="Popular Providers">
    * Okta (SAML & OIDC)
    * Entra ID / Azure AD (SAML & OIDC)
    * Google Workspace (SAML & OIDC)
    * OneLogin
    * JumpCloud SAML
    * Auth0 SAML
    * Duo SAML
  </Accordion>

  <Accordion title="Enterprise Providers">
    * Microsoft AD FS
    * PingFederate
    * PingOne
    * CyberArk SAML
    * Oracle
    * Salesforce
    * VMware Workspace One
    * NetIQ SAML
  </Accordion>

  <Accordion title="Other Providers">
    * ADP (OIDC)
    * CAS SAML
    * ClassLink SAML
    * Cloudflare SAML
    * Clever (OIDC)
    * Keycloak SAML
    * LastPass SAML
    * Login.gov (OIDC)
    * miniOrange SAML
    * Rippling
    * Shibboleth
    * SimpleSAMLphp SAML
  </Accordion>

  <Accordion title="Custom Configuration">
    * Custom SAML 2.0
    * Custom OpenID Connect (OIDC)
  </Accordion>
</AccordionGroup>

<Note>
  The setup process varies by identity provider. The onboarding process provides step-by-step instructions specific to your chosen provider during configuration.
</Note>

## Enabling SSO

### Step 1: Add and Verify Your Domain

You must verify at least one domain before configuring an identity provider. The logged-in user must have an email address belonging to the domain they are trying to verify (e.g., to verify `yourcompany.com`, you must be logged in as `user@yourcompany.com`).

<Steps>
  <Step title="Add Domain">
    Go to **Organization Settings** → **Security** and click **Add Domain**. Enter your email domain (e.g., `yourcompany.com`).
  </Step>

  <Step title="Open Verification">
    Click the **Verify** button next to your domain. This opens a new page with DNS verification instructions.
  </Step>

  <Step title="Add DNS Record">
    Follow the instructions to add a TXT record to your domain's DNS settings. The exact steps depend on your DNS provider.
  </Step>

  <Step title="Wait for Verification">
    You can wait on the verification page for automatic detection, return to the Security settings page and check periodically, or close the page entirely — all organization admins will receive an email once the domain is verified. DNS changes can take up to 48 hours to propagate.
  </Step>

  <Step title="Confirmation">
    Once verified, the domain status will show **Verified** and you can proceed to configure your identity provider.
  </Step>
</Steps>

<Warning>
  Once an identity provider is activated, verified domains can no longer be changed. Make sure your domain is correct before proceeding.
</Warning>

### Step 2: Configure Your Identity Provider

After at least one domain is verified, you can configure your identity provider:

1. Click **Configure Provider** in the Connection section
2. This opens the setup portal
3. Select your identity provider (e.g., Google Workspace, Okta, Azure AD)
4. Follow the step-by-step instructions provided.

The set-up process guides you through the entire process for your specific provider, including:

* Creating an application in your IdP
* Configuring SAML settings
* Uploading certificates or metadata
* Testing the connection

Once your identity provider is successfully configured, all organization admins will receive an email confirmation.

### Step 3: Enable SSO

After your provider is configured and active:

1. Return to Royaltyport **Organization Settings** → **Security**
2. Toggle **Enable SSO** to allow SSO sign-in
3. Members with verified domain emails can now sign in via SSO

### Step 4: Enforce SSO (Optional)

To require SSO for all users with your domain email:

1. Toggle **Enforce SSO**
2. Password login will be disabled for users with your domain email
3. New sign-ups from your domain are blocked (must use SSO)

<Warning>
  Before enforcing SSO, ensure all users can successfully authenticate through your IdP. Locked out users will need admin assistance.
</Warning>

## SSO and External Collaborators

SSO is enforced at the **organization level**. When SSO is enforced:

* **Organization members** — All organization members must authenticate via SSO. New organization members cannot be created without SSO.
* **Project team members** — External collaborators from other domains can still be invited as project team members. They authenticate with their own credentials (password or their own organization's SSO).

This allows your organization to maintain strict authentication requirements for internal users while still collaborating with external partners on specific projects.

## Domain Verification

| Status       | Description                                             |
| ------------ | ------------------------------------------------------- |
| **Pending**  | Verification in progress                                |
| **Verified** | Domain ownership confirmed                              |
| **Failed**   | Verification unsuccessful (check DNS settings or retry) |

## SSO Status

The Security page displays:

| Field               | Description                     |
| ------------------- | ------------------------------- |
| **Connection Name** | The name of your configured IdP |
| **Connection Type** | SAML                            |
| **Status**          | Active or Inactive              |

## User Experience

### First-Time SSO Login

1. User visits Royaltyport login page
2. Enters email address
3. Redirected to organization's IdP
4. Authenticates with corporate credentials
5. Redirected back to Royaltyport
6. Account created automatically or linked to existing account

### Returning SSO Login

1. User visits Royaltyport login page
2. Enters email address
3. Redirected to IdP (may be instant if already logged in)
4. Redirected back to Royaltyport, logged in

## Permission Requirements

| Action             | Required Role |
| ------------------ | ------------- |
| View SSO settings  | Admin, Owner  |
| Configure SSO      | Admin, Owner  |
| Enable/disable SSO | Admin, Owner  |
| Verify domain      | Admin, Owner  |

## Troubleshooting

<AccordionGroup>
  <Accordion title="SSO login fails">
    Return to the portal via **Configure Provider** to check your IdP configuration. Verify the certificate hasn't expired and that the connection status is Active.
  </Accordion>

  <Accordion title="Domain verification fails">
    DNS changes can take up to 48 hours to propagate. Verify the TXT record is correctly added to your domain's DNS settings.
  </Accordion>

  <Accordion title="User not provisioned">
    Ensure the user's email matches a verified domain. They may need to sign in via SSO first to create their account.
  </Accordion>

  <Accordion title="Locked out of organization">
    Contact Royaltyport support if all Owners are locked out due to SSO issues.
  </Accordion>
</AccordionGroup>