# Single-Sign On (SAML)
source: https://docs.chalk.ai/docs/sso-saml

## Setting up Single-Sign On with SAML

Chalk is supports Single Sign-On (SSO) and is compatible with
any Identity Provider that supports SAML 2.0, including but not limited to:

- Okta
- Azure Entra ID
- Google
- JumpCloud

### Supported Features

Chalk supports both Identity Provider (IdP)-initiated SSO Login, as well as
Service Provider (SP)-initiated login, using well-known email domains submitted
by your team.

Chalk also supports provisioning users with just-in-time provisioning, allowing
users to access the dashboard even if they not been explicitly invited by an owner.
Users who log in via SSO with this provisioning will have the Viewer role.

### Customers with Self-Hosted Web Dashboards

For customers whose self-hosted deployments include a full API server and frontend deployment via helm,
this page is only part of the setup needed to configure SAML. After completing this guide, please refer to
the Cloud Auth documentation to complete setup.

For the rest of the setup, screenshots will refer to example environments on the https://chalk.ai
site. Note that the values will differ than those found on your deployment's single-sign on page,
and the latter should be used when setting up SAML applications.

### Setup Steps

For team owners, all configuration can be found in the settings section of your environments,
under "Single Sign-On". This page includes both the details needed to set up a SAML application
in your identity provider, as well as the form to submit SAML certificates and well-known email
domains that can access your SAML application.

### Identity Provider Setup

The details necessary to set up a SAML application within your Identity Provider can be found at
the bottom of the page:

SAML Idp Setup Details

In addition, it is important that the following is configured in your SAML application:

- The main assertion subject should be the email.
- Chalk requires that assertions be signed, but not necessarily encrypted with our
certificate.

For detailed steps on how to set up a SAML application with a certain identity provider, follow these guides:

- Okta
- Azure Entra ID

### Chalk Setup

After creating a SAML application within your identity provider, the Single-Sign On page
is where you can submit details to Chalk to add new application. At the top of the page,
there is a button to add additional configurations. To integrate your SAML application with Chalk,
the following details are needed:

- NameThis is not a field provided by your identity provider, but rather a Chalk-internal name used
to reference this application. If your team uses multiple SSO applications, this will be shown
to users when using "Sign In via SSO" from our login page.
- Issuer
- Login URL
- Logout URL (this might be the same as the Login URL)
- Signing Certificate

If your Identity Provider provides a metadata XML file, this will contain all the necessary fields and
can be submitted in lieu of inputting the above fields.

Once the configuraiton is submitted, the SAML application will be ready to use and can be tested
from your identity provider.

SAML Chalk Setup Details

### Sign in Via SSO

Chalk supports sign in via SSO from our dashboard's login page, if your
email domain is registered with Chalk. Email domains are availble to set up once a SAML application
is configured for your team.

To register your domain with Chalk:

- Navigate to your team's Signle-Sign On page
- In the section "Email Domains", add any domains used by your team, and which
SAML applications they should be redirected toIf multiple configurations are selected, users will choose which one to redirect to from our login page
- Your email domain will be submitted for review with the Chalk Support team. Once approved, emails matching your team's domains
will redirect to your team's configured SAML applications.

Chalk Sign in With SSO