> ## Documentation Index
> Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SSO)

> Let your team sign in to PromptGuard with your identity provider via SAML or OIDC

# Single Sign-On (SSO)

Connect your identity provider (Okta, Microsoft Entra ID, Google Workspace, OneLogin, and more) so your team signs in to PromptGuard with your existing credentials. PromptGuard supports both **SAML 2.0** and **OIDC**.

You configure the connection yourself through a secure, hosted setup portal — **PromptGuard never sees your IdP credentials**.

<Note>
  SSO and [Directory Sync (SCIM)](/platform/scim) are **Enterprise** features. [Talk to us](mailto:sales@promptguard.co) to enable them for your organization.
</Note>

## How it works

1. An organization **admin** opens the hosted setup portal from PromptGuard.
2. In the portal, you connect your IdP (upload metadata / enter the SAML or OIDC details your IdP gives you).
3. Your users sign in at PromptGuard and are redirected to your IdP to authenticate.
4. On success, PromptGuard signs them in and (optionally) provisions their account.

## Prerequisites

* An **Enterprise** PromptGuard organization.
* The **Owner** or **Admin** role in that organization.
* Admin access to your IdP (to create the SAML/OIDC application).

## Set up SSO

<Steps>
  <Step title="Open the SSO settings">
    In the dashboard, go to **Settings → SSO** and click **Configure SSO**. PromptGuard opens a secure, hosted setup portal for your organization.
  </Step>

  <Step title="Connect your identity provider">
    In the portal, choose your IdP and follow its guided steps — create the SAML/OIDC application in your IdP, then paste the values back (or upload your IdP metadata). The portal validates the connection for you.
  </Step>

  <Step title="Set the allowed email domain(s)">
    Add the email domain(s) your employees use (e.g. `acme.com`). This lets PromptGuard route those users to your IdP automatically at sign-in.
  </Step>

  <Step title="Test the connection">
    Sign in with a test account from your IdP. On success you'll land in the PromptGuard dashboard.
  </Step>
</Steps>

## How your users sign in

Once SSO is configured, members sign in one of two ways:

* **Automatic routing** — they enter their work email on the PromptGuard login page; if the domain matches your configured domain, they're sent to your IdP.
* **Direct SSO link** — `https://app.promptguard.co/auth/sso/<your-org-slug>/authorize`. Share this with your team or wire it into your IdP's app launcher.

## Provisioning behavior

| Situation                                   | What happens                                                                            |
| ------------------------------------------- | --------------------------------------------------------------------------------------- |
| New user, **auto-provision on**             | An account is created and added to your organization as a **Member** on first SSO login |
| New user, **auto-provision off**            | Login is refused until the user is invited to the organization                          |
| Existing PromptGuard user, already a member | Signed in via SSO                                                                       |
| Existing user, **not** yet a member         | Login is refused — they must be invited (or sign in with their existing method) first   |

For fully automated user lifecycle (create **and** deactivate), add [Directory Sync (SCIM)](/platform/scim).

## Security

<Warning>
  PromptGuard only accepts an SSO assertion when your IdP confirms the user's email is **verified**, and it will **never** silently bind an SSO login to a pre-existing PromptGuard account that isn't already a member of your organization. This prevents account-takeover via a misconfigured or malicious IdP.
</Warning>

* IdP credentials are entered only in the hosted setup portal — never stored in or visible to PromptGuard.
* Sessions use short-lived, revocable tokens (1-hour access, 7-day refresh).
* Pair SSO with [Directory Sync](/platform/scim) so deprovisioning in your IdP immediately revokes PromptGuard access.

## Troubleshooting

<AccordionGroup>
  <Accordion title="Login fails with “domain not allowed”">
    The user's email domain isn't in your SSO configuration. Add it in **Settings → SSO**.
  </Accordion>

  <Accordion title="Login fails with “link required”">
    The user already has a PromptGuard account that isn't a member of your org. Invite them to the organization (Settings → Team), or have them sign in with their existing method and then connect SSO.
  </Accordion>

  <Accordion title="Users aren't created automatically">
    Auto-provisioning is off, or your domain isn't configured. Enable auto-provision and confirm the domain, or use Directory Sync to provision from your IdP.
  </Accordion>
</AccordionGroup>

## Next steps

<CardGroup cols={2}>
  <Card title="Directory Sync (SCIM)" icon="users-gear" href="/platform/scim">
    Auto-provision and deprovision members from your directory.
  </Card>

  <Card title="Organizations & Teams" icon="people-group" href="/platform/organizations">
    Roles, members, and project-level access.
  </Card>
</CardGroup>
