> ## Documentation Index
> Fetch the complete documentation index at: https://docs.draftt.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SSO)

Draftt supports SSO via **SAML 2.0** and **OIDC**, letting your teams authenticate through your existing identity provider. Once configured, users log in through your IdP with no separate Draftt credentials to manage, rotate, or recover.

SSO centralizes authentication enforcement. MFA policies, session timeouts, conditional access rules, and device trust requirements you've configured in your IdP apply to Draftt automatically.

## Supported Identity Providers

Draftt supports any identity provider that implements SAML 2.0 or OIDC. The following providers are tested and documented.

<CardGroup cols={3}>
  <Card title="Okta" />

  <Card title="Microsoft Entra ID" />

  <Card title="Google Workspace" />

  <Card title="Microsoft AD FS" />

  <Card title="PingFederate" />

  <Card title="PingOne" />

  <Card title="OneLogin" />

  <Card title="Keycloak" />

  <Card title="JumpCloud" />

  <Card title="Auth0" />

  <Card title="CyberArk" />

  <Card title="Descope" />

  <Card title="Duo" />

  <Card title="ClassLink" />

  <Card title="LastPass" />

  <Card title="miniOrange" />

  <Card title="Salesforce" />
</CardGroup>

## How It Works

When SSO is enabled for your organization:

1. Users who visit `app.draftt.io` and enter their work email are redirected to your IdP.
2. Your IdP authenticates them and returns a signed assertion (SAML) or ID token (OIDC) to Draftt.
3. Draftt validates the assertion, resolves the user, and creates an authenticated session.
4. If **Just-in-Time (JIT) provisioning** is enabled, first-time users are automatically created in Draftt with a default role.

<Note>
  Once SSO is enforced for your organization, password-based login is disabled. All users must authenticate through your IdP.
</Note>

## Configuration

To enable SSO for your organization, go to **Account Settings > Authentication** in Draftt. Click **Configure SSO** and follow the on-screen instructions. Draftt's setup flow guides you through the IdP-specific metadata exchange and lets you test authentication before enforcing it.

## Just-in-Time (JIT) Provisioning

When JIT provisioning is enabled, users who successfully authenticate via SSO for the first time are automatically created in Draftt. You configure:

* **Default role** - The role assigned to JIT-provisioned users. Typically `Developer` or `Viewer`.
* **Domain allowlist** - Only email addresses matching your configured domains are provisioned. Prevents authentication from external addresses that might exist in your IdP.

JIT provisioning does not handle deprovisioning. For automatic deprovisioning when users leave your organization, use [SCIM Provisioning](/scim).

## Next Steps

* Configure [SCIM Provisioning](/scim) to automate user lifecycle management
* Review [Roles & Permissions](/rbac) to confirm the right default role for JIT-provisioned users
