# Setting Up SSO Authentication

## Overview

This guide details the steps required to configure Security Assertion Markup Language(SAML) Single Sign-On (SSO) for accessing the Aisera Admin UI. The process involves setting up a SAML application in your Identity Provider (IdP) and then applying the generated IdP credentials within the Aisera Admin UI.

## Prerequisites

### Aisera URLS

You will need the login vanity URL for your Aisera tenant. This will look like: `https://<your_tenant>.login.aisera.<top_level_domain>/`

You will also need the your Aisera tenant **SSO Callback URL**. This will be used as the **Assertion Consumer Service (ACS)** URL within your IdP. This will look like: `https://<your_tenant>.login.aisera.<top_level_domain>/aisera/ssoLoginCallback`

### IdP Administrative Access

To setup SSO access to the Aisera Admin UI you will need administrative access to an Identity Provider. This access is necessary for the creation of SAML applications and the generation of credentials necessary to configure the Aisera Platform.

## SAML Application Configurations

The Aisera Platform supports any IdP that provides the following:

* Login URL
* Logout URL
* X509 Certificate

For additional help configuring your SAML application, see the common use cases below:

* [Entra ID](https://docs.aisera.com/aisera-platform/tenant-setup/aisera-platform-configuration/setting-up-sso-authentication/setting-up-entra-id-for-sso-with-the-aisera-platform)

## Configuring Your Aisera Tenant

After configuring your IdP and retrieving the required values you can configure your Aisera tenant to use the SAML application for authorization.

To configure your Aisera tenant:

1. In the Aisera Admin UI navigate to **Settings > Configuration**
2. Click on Authentication
3. Select the SSO Authentication radio button
4. Input the Login URL and Logout URL retrieved from your IdP
5. Input the X509 Certificate

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>This should include the <code>-----BEGIN CERTIFICATE-----</code> and <code>-----END CERTIFICATE-----</code> portions of the certificate.</p></div>
6. Set the remaining configurations

   | Field            | Description                                                                                                                                            |
   | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
   | Issuer           | This field should be set to your tenant's [login vanity URL](#aisera-urls).                                                                            |
   | Separate Window  | Determines if **HTTP Redirects** will be used in the authentication flow. If your IdP only supports HTTP Post leave this option unchecked.             |
   | Skip Compression | Certain IdPs, and even specific versions of IdPs may not support compressed SAML. Check this option if your IdP is not compatible with compressed SAML |

   <div data-gb-custom-block data-tag="hint" data-style="success" class="hint hint-success"><p>If you are getting a SAML error, try enabling the Skip Compression configuration.</p></div>
7. Read the warning below and then select **OK** to apply the new login configurations.<br>

   <div data-gb-custom-block data-tag="hint" data-style="danger" class="hint hint-danger"><p>Double check that you have configured these settings correctly and that the correct values have been inserted into the tenant configurations. <em>If they have not been entered correctly you will be unable to log into your Aisera Tenant.</em> If this happens, reach out to your Aisera Team and they will help you recover access.</p></div>

## Final Step

Upon completing these steps you will be required to sign back into the Aisera Admin UI using the new form of authentication. As users access the Aisera Admin Application login URL they will now be directed to complete the SSO process.