About SSO
supports SSO via SAML 2.0 and OpenID Connect (OIDC), letting your organization manage access through your existing identity provider (IdP). Common IdPs include Okta, Microsoft Entra ID (formerly Azure AD), OneLogin, Ping Identity, and Google Workspace.Users can also sign in with Google or GitHub without any additional setup. This page covers SSO setup via SAML 2.0 and OIDC only.
Availability
SSO via SAML 2.0 and OIDC is available on the Enterprise plan.What to Know Before Enabling SSO
SSO Replaces Existing Login Methods
Once SSO is enabled for your organization, it becomes the only way users can log in to . Users will no longer be able to sign in with a password, Google, or GitHub. This is by design; it ensures that all user access is managed through your IdP, so your organization’s security policies are consistently enforced. To avoid disruption, communicate this change to all users in your organization before enabling SSO.User Access and JIT Provisioning
Your IT department controls who can access through your IdP by managing user groups. Having a company email address does not automatically grant access. Users must be included in the group configured for in your IdP. When setting up SSO, let the team know which option you prefer for adding users to your organization:- By invitation: Only users who have been invited to your organization can log in, even after SSO is enabled. For information about manually inviting users, see Organizations & Members.
- Just-in-Time (JIT) provisioning: Any user in your IdP’s user group who successfully authenticates via SSO is automatically added to your organization the first time they log in, with no invitation required.
Enable SSO
SSO setup involves multiple steps and ongoing coordination between your team and the team. Here is an overview of the process:- Request SSO through your Organization Settings.
- The team reaches out to begin the process.
- Share the required information with the team: SAML 2.0 or OIDC.
- The team enters your information in the backend.
- The team shares configuration details with you. Add these to your IdP.
- Test that SSO is working correctly.
Request SSO
To request SSO:- Log in to https://va.landing.ai/.
- Go to the Organization Settings page (to navigate there manually, click your profile icon at the bottom left corner of the page and click Organization Settings).
- In the Single Sign-On (SSO) box, click Contact Support. This sends an automated message to the team. The team will contact you about next steps for setting up SSO.
Required Information for SAML 2.0
Share the following information with the team. Most of it can be found in your IdP’s SAML configuration page. The examples below are for Microsoft Entra ID. Formats and field names vary by IdP.| Item | Description |
|---|---|
| IdP (Identity Provider) | The service provider your organization uses to manage email and SSO. Example: Okta, Microsoft Entra ID, etc. |
| JIT provisioning preference | Whether you want to enable Just-in-Time (JIT) provisioning for your organization. See User Access and JIT Provisioning. |
| Metadata URL | The URL that provides your IdP’s SAML metadata, including the Entity ID, SSO login URL, and signing certificate. This URL allows to automatically configure the SAML connection without requiring each value separately. In Microsoft Entra ID, this is called App Federation Metadata URL. In Okta, this is called Identity Provider Metadata. Example: https://login.microsoftonline.com/123/federationmetadata/2007-06/federationmetadata.xml?appid=456 |
| Enterprise email domains | Each email domain that will need access to . Example: acme.com, acme.ai |
| Email claim | The Uniform Resource Identifier (URI) for the email claim type. This communicates the email address of the user. Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
| Name claim | Optional. The Uniform Resource Identifier (URI) for the name claim type. This communicates the name of the user. Example: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Required Information for OIDC
Share the following information with the team. Most of it can be found in your IdP’s OIDC configuration page. The examples below are for Microsoft Entra ID. Formats and field names vary by IdP.| Item | Description |
|---|---|
| IdP (Identity Provider) | The service provider your organization uses to manage email and SSO. Example: Okta, Microsoft Entra ID, etc. |
| JIT provisioning preference | Whether you want to enable Just-in-Time (JIT) provisioning for your organization. See User Access and JIT Provisioning. |
| Client ID | A unique identifier for the application registered in your IdP. Your IdP generates this when you create the application. |
| Client Secret | A secret key used to authenticate the application with your IdP. Share this with the team through a secure channel. |
| Issuer URL | The base URL of your IdP’s OIDC configuration, used to locate the OIDC metadata endpoint. Example: https://login.microsoftonline.com/{tenant-id}/v2.0 |
| Scope | The permissions requested from your IdP. At minimum: openid, profile, email. |
| Enterprise email domains | Each email domain that will need access to . Example: acme.com, acme.ai |
Complete Setup in Your IdP
After the team enters your information in the backend, they will continue coordinating with you to complete the setup. The team will give you the following information to enter in your IdP configuration page:| Protocol | Item | Description |
|---|---|---|
| SAML 2.0 | Assertion Consumer Service URL | In Microsoft Entra ID, this is called a “Reply URL”. Example: https://login.landing.ai/api/authn/... |
| SAML 2.0 | Audience URI | Also called an “SP Entity ID”. Example: https://login.landing.ai/api/enterprise-sso/... |
| OIDC | Redirect URI (Callback URL) | Example: https://login.landing.ai/callback/1234 |
Test That SSO Is Working Correctly
After adding the information from the team, test that SSO is working correctly:- Go to https://login.landing.ai/sign-in.
- If you are currently logged in, log out.
- Click Continue with Enterprise SSO and follow the on-screen prompts to log in. If you’re unable to log in, send an email to support@landing.ai.
View Your SSO Settings
After SSO has successfully been configured, you can view your SSO settings in read-only mode in :- Log in to https://va.landing.ai/.
- Go to the Organization Settings page (to navigate there manually, click your profile icon at the bottom left corner of the page and click Organization Settings).
- In the Single Sign-On (SSO) box, click View Details. The SSO settings display.