# Single Sign-On (SSO) with SAML {% hint style="info" %} This is an Enterprise plan feature {% endhint %} Arcade supports **SAML 2.0** using **SP-initiated SSO**, and integrates with providers like Auth0, Okta, Entra, and JumpCloud. *** ### What is supported? * **Protocol:** SAML 2.0 * **Initiation:** SP-initiated login * **SSO URL:** Custom Arcade SSO URL (provided after setup) * **Callback (ACS) URL:** `https://app.arcade.software/__/auth/handler` * **Entity ID:** `urn:app.arcade.software` *** ### How do I configure SSO with SAML for my Arcade team? There are two main parts to SAML setup: creating an app in your identity provider (IdP) and registering it with Arcade. #### 1. Create a new SAML application in your identity provider When setting up Arcade in your IdP (e.g. Okta, Auth0), use the following values: * **Entity ID:** `urn:app.arcade.software` * **ACS URL (Callback URL):** `https://app.arcade.software/__/auth/handler` These values are required for successful SAML assertions. #### 2. Share your SAML metadata with Arcade Send one of the following over Intercom (bottom right help icon): * SAML metadata XML file (preferred) * A metadata URL * Or these individual fields: * **Entity ID / Issuer** * **SSO Login URL** * **X.509 Certificate** This is only an Enterprise feature, but please reach out if interested and if you need support from our team! Once we receive this information, we’ll configure your SAML connection and send you back a dedicated Arcade SSO login URL. You can use this directly or select `Continue with SSO` on the Arcade login screen. *** ### What else needs to be configured on our side? Be sure to allow the following callback URL in your IdP settings: ``` https://app.arcade.software/__/auth/handler ``` This is required for authentication to complete successfully. *** ## Provider-Specific Configuration ### How do I configure SAML with Auth0? You can manually configure a new SAML app in Auth0 using the standard method, or with the **SAML 2.0 Add-On**. If using the add-on: {% @arcade/embed flowId="2nGLmvxr2SswGlXgur9I" url="" %} #### ⚠️ Important note for Auth0's SAML 2.0 Add-On Ensure the **NameID** is set to the user’s email address by configuring `nameIdentifierProbes` like so: ```json jsonCopy code{ "nameIdentifierProbes": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ] } ``` This ensures that Arcade receives the user’s email, which is required for login. > See also: Auth0: Manually configure SSO integrations *** ### How do I configure SAML with Okta? Follow Okta’s guide to create a new SAML app integration and use Arcade’s ACS and Entity ID values as described above. **Note:** Arcade authentication does not support login via the Okta dashboard tile. We recommend hiding the tile and instead configuring a **Bookmark App** in Okta that links directly to your custom Arcade SSO login URL. See also: [Okta: Create SAML app integrations](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm). {% @arcade/embed flowId="akQ3vgJIKJnzNB2WZnsO" url="" %} *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.arcade.software/kb/admin/general-security/single-sign-on-sso-with-saml.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.