> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prisme.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SSO)

> Implementing and managing Single Sign-On authentication with Prisme.ai

Single Sign-On (SSO) allows your organization to integrate Prisme.ai with your existing identity provider, enabling secure, streamlined authentication while maintaining central control over user access and permissions. This page provides comprehensive information about SSO implementation, configuration, and management in Prisme.ai.

## Benefits of SSO Integration

<CardGroup cols="2">
  <Card title="Enhanced Security" icon="shield-check">
    Enforce your organization's security policies including password requirements, MFA, and conditional access
  </Card>

  <Card title="Simplified Access" icon="door-open">
    Users can access Prisme.ai without maintaining separate credentials
  </Card>

  <Card title="Centralized Control" icon="users-cog">
    Manage user access from your existing identity management system
  </Card>

  <Card title="Improved Compliance" icon="clipboard-check">
    Meet regulatory requirements for authentication and access control
  </Card>
</CardGroup>

## Supported Identity Providers

Prisme.ai supports SSO integration with all major identity providers that implement standard protocols:

<Tabs>
  <Tab title="Azure AD">
    Microsoft's cloud-based identity and access management service:

    * Azure AD Free
    * Azure AD Premium P1/P2
    * Microsoft Entra ID

    Supports both SAML 2.0 and OpenID Connect protocols.
  </Tab>

  <Tab title="Okta">
    Cloud-based identity management service:

    * Okta Workforce Identity
    * Okta Customer Identity

    Supports both SAML 2.0 and OpenID Connect protocols.
  </Tab>

  <Tab title="Google Workspace">
    Google's suite of cloud computing, productivity and collaboration tools:

    * Google Workspace Business
    * Google Workspace Enterprise

    Supports SAML 2.0 protocol.
  </Tab>

  <Tab title="Other Providers">
    Any identity provider that supports standard protocols:

    * Auth0
    * OneLogin
    * Ping Identity
    * KeyCloak
    * Custom SAML/OIDC providers

    Prisme.ai is compatible with any IdP that implements SAML 2.0 or OpenID Connect.
  </Tab>
</Tabs>

## Authentication Protocols

Prisme.ai supports the following authentication protocols for SSO:

### SAML 2.0

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between an identity provider and a service provider.

<AccordionGroup>
  <Accordion title="SAML 2.0 Flow in Prisme.ai">
    1. User attempts to access Prisme.ai
    2. Prisme.ai redirects to the identity provider
    3. User authenticates with the identity provider
    4. Identity provider issues a SAML assertion
    5. User is redirected back to Prisme.ai with the SAML assertion
    6. Prisme.ai validates the assertion and grants access
  </Accordion>

  <Accordion title="Required SAML Configuration">
    To configure SAML SSO, you'll need to provide:

    * Entity ID
    * ACS (Assertion Consumer Service) URL
    * Login URL
    * Logout URL
    * Certificate for signing SAML requests
    * Attribute mappings for user information
  </Accordion>
</AccordionGroup>

### OpenID Connect (OIDC)

OpenID Connect is an authentication layer built on top of OAuth 2.0, providing a standardized way to verify user identity.

<AccordionGroup>
  <Accordion title="OIDC Flow in Prisme.ai">
    1. User attempts to access Prisme.ai
    2. Prisme.ai redirects to the identity provider with an authorization request
    3. User authenticates with the identity provider
    4. Identity provider issues an authorization code
    5. Prisme.ai exchanges the code for ID and access tokens
    6. Prisme.ai validates the tokens and grants access
  </Accordion>

  <Accordion title="Required OIDC Configuration">
    To configure OIDC SSO, you'll need to provide:

    * Client ID
    * Client Secret
    * Authorization endpoint
    * Token endpoint
    * Userinfo endpoint
    * JWKS endpoint (for token validation)
    * Scope requirements
    * Claims mapping for user information
  </Accordion>
</AccordionGroup>

## Setting Up SSO for Your Organization

Follow these steps to configure SSO for your Prisme.ai instance:

<Steps>
  <Step title="Contact Support">
    Reach out to your Prisme.ai account representative or support team to initiate the SSO setup process
  </Step>

  <Step title="Choose Protocol">
    Select either SAML 2.0 or OpenID Connect based on your identity provider's capabilities and your organization's requirements
  </Step>

  <Step title="Configure Your Identity Provider">
    Add Prisme.ai as a service provider or application in your identity provider's dashboard
  </Step>

  <Step title="Exchange Configuration Information">
    Provide Prisme.ai with the necessary configuration details from your identity provider, and configure your IdP with information provided by Prisme.ai
  </Step>

  <Step title="Map User Attributes">
    Configure how user attributes (name, email, groups, etc.) from your identity provider map to Prisme.ai attributes
  </Step>

  <Step title="Test the Integration">
    Verify the SSO setup works correctly with test accounts before rolling out to all users
  </Step>

  <Step title="Deploy to Users">
    Once testing is successful, enable SSO for your organization's users
  </Step>
</Steps>

## User Provisioning and Deprovisioning

In addition to authentication, Prisme.ai supports automated user lifecycle management:

### SCIM Provisioning

System for Cross-domain Identity Management (SCIM) allows for automated user provisioning and deprovisioning:

<AccordionGroup>
  <Accordion title="SCIM Features">
    * Automatic user creation when provisioned in your IdP
    * Real-time updates to user attributes and group memberships
    * Immediate deactivation when users are removed from your IdP
    * Role and permission mapping based on group membership
  </Accordion>

  <Accordion title="Supported Identity Providers for SCIM">
    SCIM integration is available for:

    * Azure AD
    * Okta
    * OneLogin
    * Other SCIM 2.0 compatible providers
  </Accordion>
</AccordionGroup>

### Just-in-Time Provisioning

For organizations not using SCIM, Prisme.ai also supports just-in-time (JIT) provisioning:

* Users are automatically created on their first login
* User attributes are populated from the SSO identity assertion
* Permissions can be assigned based on group attributes in the assertion

## Role-Based Access Control with SSO

Integrate your organization's group structure with Prisme.ai's permission system:

<Steps>
  <Step title="Define Group Attribute">
    Configure which attribute in your identity provider contains group or role information
  </Step>

  <Step title="Create Role Mappings">
    Define how identity provider groups map to Prisme.ai roles
  </Step>

  <Step title="Apply Granular Permissions">
    Configure workspace and resource-level permissions based on roles
  </Step>

  <Step title="Test Access Controls">
    Verify that users receive appropriate permissions based on their group memberships
  </Step>
</Steps>

## Multi-Factor Authentication

Enhance security with multi-factor authentication (MFA):

<CardGroup cols="2">
  <Card title="Identity Provider MFA" icon="shield-alt">
    Use your identity provider's MFA capabilities with SSO
  </Card>

  <Card title="FIDO2/WebAuthn" icon="key">
    Support for hardware security keys and biometric authentication
  </Card>

  <Card title="Time-based OTP" icon="clock">
    Compatibility with authenticator apps like Google Authenticator
  </Card>

  <Card title="Conditional Access" icon="filter">
    Apply MFA based on risk factors like location or device
  </Card>
</CardGroup>

## SSO for Self-Hosted Deployments

For customers using Prisme.ai in their own infrastructure:

<AccordionGroup>
  <Accordion title="On-Premises IdP Integration">
    Self-hosted Prisme.ai can integrate with on-premises identity providers such as:

    * Active Directory Federation Services (ADFS)
    * Keycloak
    * OpenLDAP
    * Shibboleth

    This allows organizations to maintain a completely on-premises authentication infrastructure.
  </Accordion>

  <Accordion title="Configuration Requirements">
    Self-hosted deployments require:

    * Network connectivity between Prisme.ai and your identity provider
    * Proper certificate configuration for secure communication
    * Additional configuration in your infrastructure's reverse proxy or load balancer

    Detailed configuration guides are available for each supported on-premises identity provider.
  </Accordion>
</AccordionGroup>

## Monitoring and Troubleshooting

Maintain visibility into your SSO implementation:

<Steps>
  <Step title="Access Audit Logs">
    Review authentication events in the Prisme.ai audit logs
  </Step>

  <Step title="Monitor IdP Logs">
    Check your identity provider's logs for authentication issues
  </Step>

  <Step title="Verify Configuration">
    Ensure metadata and certificates are current and correctly configured
  </Step>

  <Step title="Test with Diagnostic Tools">
    Use browser debugging tools to inspect authentication flows and identify issues
  </Step>
</Steps>

## Best Practices

Follow these recommendations for a secure and effective SSO implementation:

* **Implement MFA**: Always use multi-factor authentication with SSO
* **Regularly Rotate Certificates**: Update SAML certificates before they expire
* **Use Groups for Authorization**: Manage permissions via group membership rather than individual assignments
* **Test Before Deployment**: Thoroughly test SSO configuration with pilot users
* **Monitor Session Duration**: Configure appropriate session timeouts
* **Plan for Fallback**: Maintain emergency access procedures in case of IdP outages

## Additional Resources

<CardGroup cols="2">
  <Card title="Security Compliance" icon="check-double" href="/resources/security/compliance">
    Learn about Prisme.ai's security certifications and standards
  </Card>

  <Card title="Data Privacy" icon="user-shield" href="/resources/security/data-privacy">
    Understand how Prisme.ai protects your data
  </Card>

  <Card title="Azure AD Integration Guide" icon="file-alt" href="https://docs.prisme.ai/self-hosting/entreprise/authentication">
    Detailed guide for setting up Azure AD SSO
  </Card>

  <Card title="Okta Integration Guide" icon="file-alt" href="https://docs.prisme.ai/self-hosting/entreprise/authentication">
    Step-by-step instructions for Okta SSO configuration
  </Card>
</CardGroup>

## Getting Help

If you encounter issues with your SSO implementation:

* **Enterprise Support**: Contact your dedicated support representative
* **Technical Support**: Submit a ticket through the support portal
* **Documentation**: Refer to our detailed SSO implementation guides for specific identity providers
