> For the complete documentation index, see [llms.txt](https://help.genesis.autify.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.genesis.autify.com/settings/organization-settings/sso.md).

# Single Sign-On

With single sign-on (SSO), members of your organization can sign in to Autify Genesis through your company identity provider. Configure an OIDC or SAML 2.0 provider once, and Genesis directs users with a matching email domain to it on sign-in.

## Prerequisites

* To manage SSO providers, you need the organization **Admin** or **Owner** role.
* Prepare the email domain to configure and an identity provider that supports OIDC or SAML 2.0.

## Adding an SSO provider

1. Open **Settings** from the account menu in the lower-left corner, and click **Organization** > **Single Sign-On** in the left sidebar.
2. Click **Set up SSO**.

   <figure><img src="/files/FucGH3qVlO4LoPlSgKBP" alt="Screenshot of the Set up SSO dialog"><figcaption><p>Set up SSO dialog</p></figcaption></figure>
3. In **Provider type**, select **OIDC** or **SAML**.
4. In **Email domain**, enter the email domain of users to sign in through SSO (for example: `sso.example.com`).
5. In **Issuer URL**, enter the issuer URL of the identity provider (for example: `https://acme.okta.com`). OIDC endpoints are auto-discovered.
6. Enter the following fields depending on the provider type.

   | Provider type | Fields                                                                                                                       |
   | ------------- | ---------------------------------------------------------------------------------------------------------------------------- |
   | OIDC          | **Client ID**, **Client secret**                                                                                             |
   | SAML          | **Entry point URL** (the IdP's SAML SSO endpoint), **X.509 certificate** (public certificate used to verify SAML assertions) |
7. Click **Set up SSO**.
8. On the registered provider, click **Get verification record**.
9. Add the displayed DNS TXT record name and value to your domain's DNS settings.
10. After the DNS change propagates, click **Verify domain**. SSO sign-in stays unavailable until verification finishes.

{% hint style="info" %}
After registration, copy the **Redirect URI (add this to your IdP)** shown on the screen and add it to the allowed redirect URLs on the identity provider side. Click the copy icon to copy it to the clipboard.
{% endhint %}

## Reviewing registered SSO providers

The **Single Sign-On** page shows the type of each registered provider (OIDC / SAML), the email domain, the issuer URL, the redirect URI that must be registered with the IdP, and whether domain ownership has been verified. Until verification finishes, SSO sign-in remains unavailable for that provider.

## Removing an SSO provider

1. Open the **Single Sign-On** page.
2. Click **Remove SSO** on the registered provider.
3. Click **Delete** in the confirmation dialog.

{% hint style="warning" %}
After an SSO provider is removed, users who signed in through that provider need to sign in with email and password.
{% endhint %}

## Troubleshooting

| Situation                                           | Cause                                                                               | Resolution                                                                                                                   |
| --------------------------------------------------- | ----------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
| "Client ID is required for OIDC providers."         | **Client ID** is missing for an OIDC provider.                                      | Enter the client ID.                                                                                                         |
| "Client secret is required for OIDC providers."     | **Client secret** is missing for an OIDC provider.                                  | Enter the client secret.                                                                                                     |
| "Entry point URL is required for SAML providers."   | **Entry point URL** is missing for a SAML provider.                                 | Enter the SAML SSO endpoint URL of the IdP.                                                                                  |
| "X.509 certificate is required for SAML providers." | **X.509 certificate** is missing for a SAML provider.                               | Paste the public certificate of the IdP.                                                                                     |
| "Failed to register SSO provider."                  | The credentials entered were not accepted by the IdP.                               | Verify the issuer URL, client credentials, certificate, and other inputs.                                                    |
| "Domain ownership not verified" is shown.           | The DNS TXT record has not been added yet, or DNS propagation is still in progress. | Click **Get verification record**, add the displayed TXT record to your domain, then wait and click **Verify domain** again. |
| "Could not verify domain ownership."                | Genesis could not find the expected DNS TXT record yet.                             | Confirm the TXT record name and value, wait for DNS propagation, and retry **Verify domain**.                                |

## Further reading

* [Security](/settings/organization-settings/security.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://help.genesis.autify.com/settings/organization-settings/sso.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
