# Authentication

The **Settings > Configuration > Authentication** window allows you to set parameters for your Aisera tenant. These are settings that apply to any bot you create in your Aisera tenant.

## Authentication method

Select the authentication mechanism for users on this Aisera instance.

### Aisera Authentication

| **Type**    | Radio button |
| ----------- | ------------ |
| **Default** | Selected     |

The platform's built-in authentication system. When selected, users log in with a username and password managed within Aisera. User accounts are created and managed through the Aisera Admin UI, where administrators set up users with an email address and initial password.

### SSO Authentication

| **Type**    | Radio button |
| ----------- | ------------ |
| **Default** | Deselected   |

When enabled, users authenticate through an external Single Sign-On (SSO) provider instead of using passwords managed within the Aisera platform. The authentication flow redirects users to the configured SSO provider, which validates their credentials and returns authentication tokens to Aisera.

Users created while SSO Authentication is enabled are not assigned functional passwords. Password validation is skipped during user creation and management, and accounts authenticate exclusively through the external SSO provider.

## SSO configuration

{% hint style="danger" %}
Double-check that you have configured these settings correctly and that the correct values have been entered. If they have not been entered correctly you will be unable to log into your Aisera tenant. If this happens, reach out to your Aisera team for assistance recovering access.
{% endhint %}

### Login URL

| **Type**     | Text field                                                 |
| ------------ | ---------------------------------------------------------- |
| **Default**  | Empty                                                      |
| **Requires** | [SSO Authentication](#sso-authentication) must be selected |

The URL of your SSO provider's login endpoint. Retrieved from your identity provider (IdP) during SSO application setup.

### ACS URL

| **Type**     | Text field                                                 |
| ------------ | ---------------------------------------------------------- |
| **Default**  | Empty                                                      |
| **Requires** | [SSO Authentication](#sso-authentication) must be selected |

The Assertion Consumer Service (ACS) URL for your Aisera tenant. Provide this URL to your IdP when configuring your SSO application. Your ACS URL follows this format:

`https://<your_tenant>.login.aisera.<top_level_domain>/aisera/ssoLoginCallback`

### Logout URL

| **Type**     | Text field                                                 |
| ------------ | ---------------------------------------------------------- |
| **Default**  | Empty                                                      |
| **Requires** | [SSO Authentication](#sso-authentication) must be selected |

The URL of your SSO provider's logout endpoint. Retrieved from your IdP during SSO application setup.

### Issuer

| **Type**     | Text field                                                 |
| ------------ | ---------------------------------------------------------- |
| **Default**  | Empty                                                      |
| **Requires** | [SSO Authentication](#sso-authentication) must be selected |

Your tenant's login vanity URL. Use the following format:

`https://<your_tenant>.login.aisera.<top_level_domain>/`

### Separate Window

| **Type**     | Checkbox                                                   |
| ------------ | ---------------------------------------------------------- |
| **Default**  | Disabled                                                   |
| **Requires** | [SSO Authentication](#sso-authentication) must be selected |

When enabled, the SSO authentication flow opens in a popup window. The user authenticates in the popup and, upon successful authentication, the popup closes and returns control to the main application window.

When disabled, the main browser window redirects to the IdP for authentication and then redirects back to Aisera on completion. Use this option if your IdP only supports HTTP Post rather than HTTP Redirect.

### Skip Compression

| **Type**     | Checkbox                                                   |
| ------------ | ---------------------------------------------------------- |
| **Default**  | Disabled                                                   |
| **Requires** | [SSO Authentication](#sso-authentication) must be selected |

When enabled, sends the X509 certificate to the SSO provider in uncompressed form. Some IdPs require the certificate in uncompressed format and will fail authentication if it has been compressed.

When disabled, the platform compresses the X509 certificate before sending it to the SSO provider. If you are receiving a SAML error, try enabling this setting.

### X509 Certificate

| **Type**     | Text field                                                 |
| ------------ | ---------------------------------------------------------- |
| **Default**  | Empty                                                      |
| **Requires** | [SSO Authentication](#sso-authentication) must be selected |

The X509 certificate provided by your IdP, used to verify the authenticity of SAML responses. Paste the full certificate value including the header and footer lines.

{% hint style="info" %}
Make sure your certificate value includes the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines when pasting.
{% endhint %}