> ## Documentation Index
> Fetch the complete documentation index at: https://docs.landing.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Single Sign-On (SSO)
export const splitJSON = 'split rules';
export const split = 'ADE Split';
export const adeTypeScriptLibrary = 'ade-typescript';
export const adePythonLibrary = 'ade-python';
export const dpt2mini = 'DPT-2 mini';
export const dpt2 = 'DPT-2';
export const dpt1 = 'DPT-1';
export const dpt = 'Document Pre-Trained Transformer';
export const companyName = 'LandingAI';
export const extract = 'ADE Extract';
export const parse = 'ADE Parse';
export const ade = 'Agentic Document Extraction';
## About SSO
{ade} supports SSO via **SAML 2.0** and **OpenID Connect (OIDC)**, letting your organization manage {ade} access through your existing identity provider (IdP). Common IdPs include Okta, Microsoft Entra ID (formerly Azure AD), OneLogin, Ping Identity, and Google Workspace.
Users can also sign in with Google or GitHub without any additional setup. This page covers SSO setup via SAML 2.0 and OIDC only.
## Availability
SSO via SAML 2.0 and OIDC is available on the **Enterprise** plan.
## What to Know Before Enabling SSO
### SSO Replaces Existing Login Methods
Once SSO is enabled for your organization, it becomes the only way users can log in to {ade}. Users will no longer be able to sign in with a password, Google, or GitHub. This is by design; it ensures that all user access is managed through your IdP, so your organization's security policies are consistently enforced.
To avoid disruption, communicate this change to all {ade} users in your organization before enabling SSO.
### User Access and JIT Provisioning
Your IT department controls who can access {ade} through your IdP by managing user groups. Having a company email address does not automatically grant access. Users must be included in the group configured for {ade} in your IdP.
When setting up SSO, let the {companyName} team know which option you prefer for adding users to your {ade} organization:
* **By invitation**: Only users who have been invited to your {ade} organization can log in, even after SSO is enabled. For information about manually inviting users, see [Organizations & Members](./ade-members).
* **Just-in-Time (JIT) provisioning**: Any user in your IdP's user group who successfully authenticates via SSO is automatically added to your {ade} organization the first time they log in, with no invitation required.
## Enable SSO
SSO setup involves multiple steps and ongoing coordination between your team and the {companyName} team. Here is an overview of the process:
1. [Request SSO](#request-sso) through your Organization Settings.
2. The {companyName} team reaches out to begin the process.
3. Share the required information with the {companyName} team: [SAML 2.0](#required-information-for-saml-20) or [OIDC](#required-information-for-oidc).
4. The {companyName} team enters your information in the {ade} backend.
5. The {companyName} team shares configuration details with you. [Add these to your IdP](#complete-setup-in-your-idp).
6. [Test that SSO is working correctly](#test-that-sso-is-working-correctly).
### Request SSO
To request SSO:
1. Log in to [https://va.landing.ai/](https://va.landing.ai/).
2. Go to the [Organization Settings](https://va.landing.ai/settings/organization/general) page (to navigate there manually, click your profile icon at the bottom left corner of the page and click **Organization Settings**).
3. In the **Single Sign-On (SSO)** box, click **Contact Support**. This sends an automated message to the {companyName} team. The team will contact you about next steps for setting up SSO.
### Required Information for SAML 2.0
Share the following information with the {companyName} team. Most of it can be found in your IdP's SAML configuration page.
The examples below are for Microsoft Entra ID. Formats and field names vary by IdP.
| Item | Description |
| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| IdP (Identity Provider) | The service provider your organization uses to manage email and SSO.
**Example**: Okta, Microsoft Entra ID, etc. |
| JIT provisioning preference | Whether you want to enable Just-in-Time (JIT) provisioning for your organization. See [User Access and JIT Provisioning](#user-access-and-jit-provisioning). |
| Metadata URL | The URL that provides your IdP's SAML metadata, including the Entity ID, SSO login URL, and signing certificate. This URL allows {companyName} to automatically configure the SAML connection without requiring each value separately.
In Microsoft Entra ID, this is called **App Federation Metadata URL**. In Okta, this is called **Identity Provider Metadata**.
**Example**: `https://login.microsoftonline.com/123/federationmetadata/2007-06/federationmetadata.xml?appid=456` |
| Enterprise email domains | Each email domain that will need access to {ade}.
**Example**: acme.com, acme.ai |
| Email claim | The Uniform Resource Identifier (URI) for the email claim type. This communicates the email address of the user.
**Example**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` |
| Name claim | Optional. The Uniform Resource Identifier (URI) for the name claim type. This communicates the name of the user.
**Example**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` |
### Required Information for OIDC
Share the following information with the {companyName} team. Most of it can be found in your IdP's OIDC configuration page.
The examples below are for Microsoft Entra ID. Formats and field names vary by IdP.
| Item | Description |
| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| IdP (Identity Provider) | The service provider your organization uses to manage email and SSO.
**Example**: Okta, Microsoft Entra ID, etc. |
| JIT provisioning preference | Whether you want to enable Just-in-Time (JIT) provisioning for your organization. See [User Access and JIT Provisioning](#user-access-and-jit-provisioning). |
| Client ID | A unique identifier for the {ade} application registered in your IdP. Your IdP generates this when you create the application. |
| Client Secret | A secret key used to authenticate the {ade} application with your IdP. Share this with the {companyName} team through a secure channel. |
| Issuer URL | The base URL of your IdP's OIDC configuration, used to locate the OIDC metadata endpoint.
**Example**: `https://login.microsoftonline.com/{tenant-id}/v2.0` |
| Scope | The permissions requested from your IdP. At minimum: `openid`, `profile`, `email`. |
| Enterprise email domains | Each email domain that will need access to {ade}.
**Example**: acme.com, acme.ai |
### Complete Setup in Your IdP
After the {companyName} team enters your information in the {ade} backend, they will continue coordinating with you to complete the setup.
The {companyName} team will give you the following information to enter in your IdP configuration page:
| Protocol | Item | Description |
| -------- | ------------------------------ | ---------------------------------------------------------------------------------------------------------------------- |
| SAML 2.0 | Assertion Consumer Service URL | In Microsoft Entra ID, this is called a "Reply URL".
**Example**: `https://login.landing.ai/api/authn/...` |
| SAML 2.0 | Audience URI | Also called an "SP Entity ID".
**Example**: `https://login.landing.ai/api/enterprise-sso/...` |
| OIDC | Redirect URI (Callback URL) | **Example**: `https://login.landing.ai/callback/1234` |
### Test That SSO Is Working Correctly
After adding the information from the {companyName} team, test that SSO is working correctly:
1. Go to [https://login.landing.ai/sign-in](https://login.landing.ai/sign-in).
2. If you are currently logged in, log out.
3. Click **Continue with Enterprise SSO** and follow the on-screen prompts to log in. If you're unable to log in, send an email to [support@landing.ai](mailto:support@landing.ai).
## View Your SSO Settings
After SSO has successfully been configured, you can view your SSO settings in read-only mode in {ade}:
1. Log in to [https://va.landing.ai/](https://va.landing.ai/).
2. Go to the [Organization Settings](https://va.landing.ai/settings/organization/general) page (to navigate there manually, click your profile icon at the bottom left corner of the page and click **Organization Settings**).
3. In the **Single Sign-On (SSO)** box, click **View Details**. The SSO settings display.