***

title: Single Sign-On
subtitle: Centralize authentication with your identity provider
slug: sso
description: Connect your identity provider to centralize authentication, and enforce access policies
---------------------

For a complete page index, fetch https://docs.synthflow.ai/llms.txt. For full documentation content, fetch https://docs.synthflow.ai/llms-full.txt.

<Info>
  Single Sign-On (SSO) is available on Enterprise plans only.
</Info>

## Overview

Single Sign-On (SSO) lets your team sign in to Synthflow through your existing identity provider instead of managing separate workspace credentials.

For enterprise organizations, SSO provides centralized authentication control, consistent access and security policies across teams, and faster onboarding/offboarding through identity provider lifecycle management.

SSO configuration is available only to **Super Admins** and **Admins**. For role details, see [Role Management](/role-management).

Synthflow uses **WorkOS** as the SSO infrastructure provider.

## How to enable SSO

Navigate to **Settings** → **Security**. To enable SSO, you must provide:

* **Organization name** (defaults to your workspace name)
* At least one domain from your [whitelist domains](/allowed-email-domains) policy

![Enable SSO with organization name and allowed domain](https://files.buildwithfern.com/synthflow.docs.buildwithfern.com/6303f9dcccc1345acdba8de4ea6d6bedd4cc8726f1e3e835a0bf05f0ddf68158/docs/assets/screenshots/sso_3.png)

After submitting this form, Synthflow creates an organization in WorkOS and redirects you to the identity provider connection list. You can also continue this setup later if you do not want to complete the provider connection immediately. Until the provider setup is successfully completed, the connection remains pending and inactive.

Available providers:

* Okta SAML
* Entra ID (Azure AD) SAML
* Google SAML
* ADP OpenID Connect
* Auth0 SAML
* CAS SAML
* ClassLink SAML
* Cloudflare SAML

Each provider has slightly different setup requirements. Read the provider instructions carefully to ensure a successful connection.

![SSO enabled and active connection status](https://files.buildwithfern.com/synthflow.docs.buildwithfern.com/7f6438f3b4c84399b0a407df58b2e0334b612f6f29dd4fecf2e42223eaab508e/docs/assets/screenshots/sso_1.png)

## Disable SSO

Workspace admins can disable SSO when needed.

* Disabling SSO does **not** remove your WorkOS organization or the external identity provider connection (Okta, OIDC, and others).
* Existing and new users who normally authenticate through SSO will not be able to access the workspace via SSO until SSO is enabled again.

## FAQ

<AccordionGroup>
  <Accordion title="Can the same domain policy exist in two different workspaces?">
    Yes. You can configure the same domain policy in multiple workspaces.
  </Accordion>

  <Accordion title="Can I start SSO setup now and finish it later?">
    Yes. After creating the WorkOS organization, you can return later to complete the identity provider connection. Until setup is completed successfully, the connection remains pending and inactive.
  </Accordion>

  <Accordion title="Who can enable, disable, or manage SSO settings?">
    Only **Super Admins** and **Admins** can configure and manage SSO settings.
  </Accordion>

  <Accordion title="What happens if SSO is disabled after it was active?">
    Users who authenticate through SSO will not be able to access the workspace via SSO until it is enabled again. Disabling SSO does not delete the WorkOS organization or external identity provider connection.
  </Accordion>

  <Accordion title="Can I change identity providers later?">
    Yes. You can update or reconfigure your SSO connection later by managing your identity provider setup from the SSO settings flow.
  </Accordion>

  <Accordion title="Does SSO replace allowed email domains?">
    No. Allowed email domains and SSO complement each other. Allowed domains control invitation policy, while SSO centralizes authentication through your identity provider.
  </Accordion>
</AccordionGroup>