# Single sign-on (SSO)

Felt provides Single Sign-On (SSO) functionality for Enterprise workspaces. This enables IT to easily manage access through a single authentication source. Felt’s SSO is built upon the SAML 2.0 standard.

{% hint style="success" %}
This feature is only available on the Enterprise plan. [Contact sales](https://felt.com/sales) to upgrade.
{% endhint %}

## Requirements

* Your workspace is on the Enterprise Plan
* You are an admin in your Felt workspace
* You have an Identity Provider (IdP) that supports SAML 2.0
* You are an admin in your Identity Provider

## Supported Identity Providers

* Okta
* Google
* Entra
* OneLogin
* JumpCloud
* Duo
* Rippling
* Generic SAML 2.0 capable provider

## Quick Overview

1. Enable SSO on for your Enterprise workspace
2. Configure the SAML connection between Felt and your IdP
   * You’ll share 3 fields from your IdP with Felt
   * You’ll share 3 fields from Felt with your IdP
   * You’ll configure 3 SAML attributes to be shared with Felt
3. Configure your Felt Enterprise SSO settings

## Detailed Steps

* Navigate to your Felt workspace, click “Settings”, then “Workspace”
* Click “Enable SSO for yourdomain.com” under “Enterprise SSO”
* You’ll be asked to confirm that you have admin access inside your IdP. Click “Configure SAML”
* In the new tab that has been opened, select your Identity Provider
* You will be now guided through a series of steps to configure the SAML connection between Felt and your IdP. These steps may vary between Identity Providers, so follow the details provided in the guide.
  1. Create a SAML app inside your IdP
  2. Provide the 3 requested fields from your IdP
     1. `SAML 2.0 Endpoint`
     2. `Issuer URL / Entity ID`
     3. `Certificate`
  3. Enter the 3 provided fields into your IdP
     1. `ACS URL`
     2. `ACS URL Validator`
     3. `Audience (EntityID)`
  4. Configure the 3 required SAML attributes
     1. `email`
     2. `first_name`
     3. `last_name`
  5. You can skip Step 5, user role configuration is not used
* Click “Finish”
* Click “Test Connection” to confirm that the connection was successful
  * You may need to add your own user to the new SAML application inside your Identity Provider for this test to succeed.
* Click “Finish & go live”
* Close the configuration tab and go back to your Felt workspace settings
* You may now configure your Felt Enterprise SSO settings
  * “Require SSO login”
    * This setting requires that all users on your email domain must login using SSO
    * Users will no longer be able to login using a password if they already had one
    * Admin users are always exempt from this restriction
  * “Automatically invite new users”
    * When this setting is on, new users that login to your email domain using SSO will be automatically invited to your Workspace.
      * If you reach your member/editor limit, additional logins will create Felt user accounts, but they won’t be added to your Workspace.
    * They will be invited at the “Default permission level” you have set in the “Joining the workspace” section
* Inside your IdP, assign users you wish to have Felt access to the new SAML application that was created. Only users you assign will be able to login to Felt.

## Frequently Asked Questions

<details>

<summary>Can users on other email domains still access my Workspace?</summary>

Yes. You can still invite users from different email domains to your Workspace. This is true even if you enable “Require SSO login”. That setting only applies to users on your configured SSO email domain.

</details>

<details>

<summary>If I de-provision a user in my Identity Provider, will they automatically be removed from Felt?</summary>

No. Felt’s Enterprise SSO implementation supports SAML, which handles access, but not SCIM, which handles automatic provisioning. If you want to remove a user from Felt, you can manually remove them from your Workspace, and their maps will be transferred to an Admin user.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.felt.com/administration/single-sign-on-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.