# SSO Support

Use SSO to sign in to SureCloud with your organisation's identity provider.

Use this page to check supported providers and the setup information we need.

### Compatible providers

SureCloud supports SSO with these provider types:

* Microsoft Entra ID (Azure AD)
* ADFS
* SAML 2.0 providers, including Okta, PingFederate, Google Workspace, and Auth0
* OpenID Connect
* Active Directory/LDAP
* Azure Active Directory Native

### Set up SSO

To configure an identity provider connector, contact [SureCloud Support](mailto:success@surecloud.com).

Include:

* your identity provider
* the SSO standard, if known
* the tenant or environment to configure

### Information we need

#### Microsoft Entra ID (Azure AD)

Send us:

* Application secret key
* Application ID
* Microsoft Azure AD domain

We will send you:

* Callback URL: `https://auth.surecloud.io/login/callback`

#### ADFS

Send us:

* Federation metadata XML file, or a URL to download it

We will send you:

* Callback URL: `https://auth.surecloud.io/login/callback`
* Relying party trust identifier: `urn:auth0:prod-aurora-surecloud`
* Claim rule template: `Send LDAP Attributes as Claims`

#### SAML 2.0 providers

This setup usually applies to providers such as Okta, PingFederate, Google Workspace, and Auth0.

Send us:

* X509 signing certificate in `PEM` or `CER` format
* Sign-in URL

We will send you:

* Assertion certificate in `PEM` format
* SP Entity ID (Audience URI): `urn:auth0:prod-aurora-surecloud:<connector>`
* Single Sign-On URL (Assertion Consumer Service URI): `https://auth.surecloud.io/login/callback?connection=<connector>&organization=<organization_id>`
* Single Logout URL: `https://auth.surecloud.io/logout`

{% hint style="info" %}
Replace `<connector>` and `<organization_id>` with the values for your organisation.
{% endhint %}

#### Other supported providers

OpenID Connect, Active Directory/LDAP, and Azure Active Directory Native are also supported.

Requirements vary by setup.

Contact Support with your provider name and tenant details.

We will confirm the exact information needed.

### Required SAML claims

If you are using a SAML 2.0 provider, these claims must be present:

* **Email Address:** `email`
* **First Name:** `given_name`
* **Last Name:** `family_name`

### Optional: IdP-initiated SSO

Use IdP-initiated SSO if users will start sign-in from your internal portal or another external page.

Enable **IdP-Initiated SSO** on the tenant's enterprise SAML connection with these settings:

* **Accept Request**
* **Default application:** `prod-uk-auth0-single-page-application`
* **Response Protocol:** `OpenID Connect`
* **Query String:** `scope=openid email&redirect_uri=https://SUBDOMAIN.surecloud.io/idpLogin`

{% hint style="info" %}
Replace `SUBDOMAIN` with your tenant subdomain.
{% endhint %}

### What happens next

SureCloud Support will confirm compatibility and guide you through the remaining setup steps.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/documentation/admin/sso-support.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.