# Single Sign-On (SSO) Setup

## SSO Overview <a href="#h_b94fb6bffe" id="h_b94fb6bffe"></a>

Single Sign-On (SSO) setup simplifies user authentication and access management across multiple applications within an organization. It allows users to securely authenticate once and access various services without having to re-enter credentials. Integrating your SSO providers with Finout enhances security and streamlines administration by reducing the risk of credential-based attacks.

## Connect Your ​​SSO Providers to Finout <a href="#h_54bed064d4" id="h_54bed064d4"></a>

Follow this procedure to integrate your SSO provers with Finout.

**To connect SSO providers to Finout:**

1. In Finout, navigate to the **Admin Portal**.<br>

   <figure><img src="https://3858159242-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWqjB2puKXPDR7L86FX2e%2Fuploads%2FNt83xVaBL4E4hpjgqri0%2Fimage.png?alt=media&#x26;token=6bf2fe2a-5502-4e4e-a380-7b0995f9a328" alt=""><figcaption></figcaption></figure>
2. In the Admin Portal navigation bar, click **SSO**.\ <br>

   <figure><img src="https://3858159242-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWqjB2puKXPDR7L86FX2e%2Fuploads%2F0wrXCxmpjSyEvI1XC6pZ%2Fimage.png?alt=media&#x26;token=2d84a14e-029d-4bf0-99f8-73c8310e9b07" alt=""><figcaption></figcaption></figure>
3. Click on **Setup SSO** connection.\
   The **Setup SSO** connection appears.

<figure><img src="https://finout.intercom-attachments.eu/i/o/8218171/cf9a408a31463fdb87c3aa23/DuOQgmyH0eX7FZpgGk7G6gWWtDaYzL85dntANchtpqnTVIXvRBtLUIVoz0jar3DbelumNatk1L2SBlAoQZDmjPHpzfiP9QYmlQkJ_ZI6odz6Wk6g6tYnyESxPDFM0DHNblXBOnYdIzQ0fRNRrOyHDX4?expires=1724340600&#x26;signature=a07c311e3af3d36dd5b5e194084ec83c97fbf1f003b95bbc1c45a38d594cf5a6&#x26;req=2NduzVn9rXsp0xr0v9tnpEDicMgFuM14zXpKY44Uf19gbCC6s34SLdqPCqXV%0A" alt=""><figcaption></figcaption></figure>

4. Select the SSO provider with which you wish to connect with Finout.<br>

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note</strong>: It is recommended to choose the SAML integration.</p></div>
5. Follow the onscreen instructions for the chosen SSO provider.\
   You are redirected to the Self-service SAML configuration/SSO configuration.<br>

   <figure><img src="https://3858159242-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWqjB2puKXPDR7L86FX2e%2Fuploads%2FurmjoFqZUczzrkL616WK%2Fimage.png?alt=media&#x26;token=79918473-a1df-408d-906e-9a0779bfb523" alt=""><figcaption></figcaption></figure>
6. Enter a **Domain Name** and click **Proceed**.

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note</strong>: The domain must be claimed by copying the TXT record and applying it to your DNS provider.</p></div>

   The **Record Name** and **Record Value** appear.

   <figure><img src="https://3858159242-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWqjB2puKXPDR7L86FX2e%2Fuploads%2FX0D9PdPKgJAti5GMYZjc%2Fimage.png?alt=media&#x26;token=fd510f3a-9605-4669-b5d6-2de8b23e7682" alt=""><figcaption></figcaption></figure>
7. Copy this data and add it to a new TXT record in your DNS file, then click **Proceed**.\
   You are brought to the **Manage Authorization** step.<br>

   <figure><img src="https://3858159242-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWqjB2puKXPDR7L86FX2e%2Fuploads%2FmObTx3a3hTDHuQcSgaiA%2Fimage.png?alt=media&#x26;token=781107b9-b897-41b5-ad1d-e161c7d45c73" alt=""><figcaption></figcaption></figure>
8. Assign default roles to all SSO users by adding one or more account roles from your list of predefined roles.
9. You can optionally map your IdP groups to roles available in the application.

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note</strong>: Ensure that your IdP passes the  <code>groups</code> attribute that is sent in the SAML Assertion.</p></div>

   <figure><img src="https://3858159242-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FWqjB2puKXPDR7L86FX2e%2Fuploads%2FlmUmLP9Zpqh5Cgyqv41A%2Fimage.png?alt=media&#x26;token=11ef2467-6eae-4e69-ac4e-5977abe1540a" alt=""><figcaption></figcaption></figure>
10. Click **Done** and save the connection.
11. Login into Finout using the SSO to ensure that it is enabled.<br>

    <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note</strong>: For more information, see <a href="https://developers.frontegg.com/guides/authentication/sso/self-service/saml">Frontegg documentation</a>.</p></div>

## FAQs <a href="#h_6b212d4255" id="h_6b212d4255"></a>

**If a user has the following groups:**

* Group A in Active Directory: Connected to Group 1 in Finout.
* Group B in Active Directory: Connected to Group 2 in Finout.

**What permissions will the user have if they are moved from Group A to Group B?**

The user will have access to both Group 1 and Group 2 in Finout. To remove access to Group A, you must remove it from Group A in Finout.

**What happens if a user is part of an Active Directory group and belongs to another group in Finout?**

The user will have access to both groups in Finout. This access will be effective immediately upon the next login.

**If a user belongs to multiple SAML groups with corresponding groups in Finout, will Finout assign the user to all these matching groups?**

Yes, if a user belongs to multiple SAML groups with corresponding groups in Finout, Finout will assign the user to all of these matching groups.

**Does Finout support re-evaluating user group memberships upon every SAML login?**

No, group provisioning happens only when the user onboards Finout. Then, they need to manage the groups in the admin portal and Finout groups settings.&#x20;