> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getunblocked.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Other SAML Providers

> How to set up any SAML 2.0 compliant identity provider with Unblocked

This article covers the general steps for configuring SAML with any SAML 2.0 compliant identity provider.

<Note>
  For specific detailed instructions for popular identity providers, see articles for
  [Okta](/team-settings/sso/okta),
  [PingOne](/team-settings/sso/ping-one),
  [Microsoft Entra ID](/team-settings/sso/entra-id),
  [Google Workspace](/team-settings/sso/google-workspace),
  and [AWS Identity Center](/team-settings/sso/aws-identity-center) instead.
</Note>

## Configure Single Sign-On

<Steps>
  <Step title="Navigate to SSO Settings">
    To connect Unblocked with your SSO provider:

    1. Navigate to the **Settings** section of the Unblocked web app.
    2. Under Team Settings, select **Security**.
    3. Locate the Single Sign-On section and click **Configure**.

    <img src="https://mintcdn.com/unblocked/6EnUukZ0PqneZZya/img/sso/saml-unconfigured.png?fit=max&auto=format&n=6EnUukZ0PqneZZya&q=85&s=8a085ce78bd64c22e88430e6ded14685" alt="SSO Configuration" width="2880" height="1821" data-path="img/sso/saml-unconfigured.png" />
  </Step>

  <Step title="Create an AWS Identity Center application">
    From IAM Identity Center, navigate to the **Applications** tab, and click **Add application**.

    <img src="https://mintcdn.com/unblocked/huIyMMrsU-cj3883/img/sso/aws/add-app.png?fit=max&auto=format&n=huIyMMrsU-cj3883&q=85&s=1358671e3c4bd5327b6a8776e243c7ac" alt="Add application" width="2782" height="1824" data-path="img/sso/aws/add-app.png" />

    Under **Setup preference**, select **I have an application I want to set up**.

    <img src="https://mintcdn.com/unblocked/huIyMMrsU-cj3883/img/sso/aws/setup-pref.png?fit=max&auto=format&n=huIyMMrsU-cj3883&q=85&s=0b381438e13e5bfe5b10daf498777da4" alt="Setup preference" width="2782" height="1824" data-path="img/sso/aws/setup-pref.png" />

    Under **Application type**, select **SAML 2.0**.

    <img src="https://mintcdn.com/unblocked/huIyMMrsU-cj3883/img/sso/aws/app-type.png?fit=max&auto=format&n=huIyMMrsU-cj3883&q=85&s=1f2bb29be4d4b468ceedd2ec610da9c9" alt="Application type" width="2782" height="1824" data-path="img/sso/aws/app-type.png" />

    Click **Next** and enter **Unblocked** as the application name.

    <img src="https://mintcdn.com/unblocked/huIyMMrsU-cj3883/img/sso/aws/app-name.png?fit=max&auto=format&n=huIyMMrsU-cj3883&q=85&s=86cbb71b0eff40d37178295816a9564a" alt="Application name" width="2782" height="1824" data-path="img/sso/aws/app-name.png" />
  </Step>

  <Step title="Configure IAM Identity Center metadata">
    Copy the following information from the **IAM Identity Center metadata** section
    and paste it into Unblocked.

    * IAM Identity Center sign-in URL
    * IAM Identity Center SAML issuer URL
    * IAM Identity Center Certificate

    <img src="https://mintcdn.com/unblocked/huIyMMrsU-cj3883/img/sso/aws/idp-metadata.png?fit=max&auto=format&n=huIyMMrsU-cj3883&q=85&s=bd4f93f4e51f8d848e1cdbc6cc44fc29" alt="Identity Center metadata" width="2782" height="1824" data-path="img/sso/aws/idp-metadata.png" />
  </Step>

  <Step title="Application properties">
    Leave the **Application properties** section in AWS blank.
  </Step>

  <Step title="Configure Application metadata">
    Copy the following values from Unblocked into the **Application metadata** section in AWS identity center:

    * **Application ACS URL**
    * **Application SAML audience**
  </Step>

  <Step title="Configure attribute mappings">
    From the **Actions** menu, select **Edit attribute mappings**.

    <img src="https://mintcdn.com/unblocked/huIyMMrsU-cj3883/img/sso/aws/edit-attr.png?fit=max&auto=format&n=huIyMMrsU-cj3883&q=85&s=4ef035f1ba502ce32b00ca6e120d38c0" alt="Edit attribute mappings" width="2782" height="1824" data-path="img/sso/aws/edit-attr.png" />

    Then enter the following mappings:

    | User attribute in Unblocked | User attribute in Identity Center | Format         |
    | :-------------------------- | :-------------------------------- | :------------- |
    | `Subject`                   | `${user.email}`                   | `emailAddress` |
    | `givenName`                 | `${user.givenName}`               | `basic`        |
    | `familyName`                | `${user.familyName}`              | `basic`        |

    <img src="https://mintcdn.com/unblocked/huIyMMrsU-cj3883/img/sso/aws/mappings.png?fit=max&auto=format&n=huIyMMrsU-cj3883&q=85&s=ed2127c0378fa017a46a65a77b242b14" alt="Enter attribute mappings" width="2782" height="1824" data-path="img/sso/aws/mappings.png" />
  </Step>

  <Step title="Assign Users">
    Assign users and groups to your AWS Identity Center application to grant them access to Unblocked.
  </Step>
</Steps>

## User and Group Provisioning

Once you've configured SSO, you can enable user and group provisioning to automatically manage user access to Unblocked.
This feature allows you to automatically create, update, and deactivate users in Unblocked based on changes in your identity provider.

Unblocked is a fully compliant SCIM 2.0 service provider and supports user and group provisioning from any SCIM-compliant identity provider.

To configure SCIM provisioning from your identity provider to Unblocked, you'll need to generate a SCIM API token in Unblocked, then follow the instructions for your identity provider.

<Steps>
  <Step title="Generate SCIM API Token">
    In the Unblocked web app, navigate to the **Settings** section.
    Under Team Settings, select **Security**.
    Locate the SCIM User and Group Provisioning section and click **Configure**.

    <img src="https://mintcdn.com/unblocked/6EnUukZ0PqneZZya/img/scim/scim-unb-configure.png?fit=max&auto=format&n=6EnUukZ0PqneZZya&q=85&s=2f4c317ea748c63c6b2b9dbcf3806d31" alt="SCIM Configure" width="2880" height="1820" data-path="img/scim/scim-unb-configure.png" />

    Click **Add Token** to generate a new API token for SCIM provisioning.
    Copy both the new API token and the **Base URL**.

    <img src="https://mintcdn.com/unblocked/6EnUukZ0PqneZZya/img/scim/scim-unb-keys.png?fit=max&auto=format&n=6EnUukZ0PqneZZya&q=85&s=41595680248cb3c5444d1a748d4dae93" alt="Generate API Token" width="2880" height="1820" data-path="img/scim/scim-unb-keys.png" />
  </Step>

  <Step title="Setup SCIM Connection">
    Follow the instructions for your identity provider to configure a SCIM connection to Unblocked.
    You will need the **Base URL** and **API Token** that you generated in the previous step.
  </Step>
</Steps>

## Enforce SSO

Once SSO is configured, you can enforce its use for your team.
This means all team members will be required to sign in using your SSO provider.

There are two enforcement options:

* **SSO Only**:
  Users will be required to sign in to Unblocked using SSO.
  You may need to sign in with SSO before enabling this option.

* **SSO, a Source Code System, or Slack**:
  Users can sign in using either SSO, their source code system (e.g., GitHub, Bitbucket, or GitLab), or Slack.

<img src="https://mintcdn.com/unblocked/6EnUukZ0PqneZZya/img/sso/enforce/sso-enforce-off-zoom.png?fit=max&auto=format&n=6EnUukZ0PqneZZya&q=85&s=2027f8e85edbc59c56fdc8a6894397e8" alt="SSO Enforcement Options" width="1748" height="1114" data-path="img/sso/enforce/sso-enforce-off-zoom.png" />

## Allowed Email Domains

Verifying a domain ensures that users who enter an email address from that domain on the Unblocked sign-in page are automatically directed to your SSO login.
This creates a seamless login experience and routes users through the correct authentication flow.

You can add multiple domains to enable SSO login detection for users with different email addresses.
To verify a domain:

<Steps>
  <Step title="Add Domain">
    Click **Add Domain** and enter the domain name you want to verify.
  </Step>

  <Step title="Verify Domain">
    Unblocked will prompt you to add a TXT record to your DNS settings to complete the verification.
  </Step>
</Steps>

Once the domain is verified, any user who enters an email address matching that domain on the Unblocked sign-in page will see the SSO login option for your SAML provider.

Verifying a domain only controls the visibility of the SSO login option and does not automatically grant access to
your Unblocked team. Access to Unblocked is still managed through user and group assignments in your identity provider (IdP).

## Download Unblocked Logo

To help your users easily recognize Unblocked in their identity provider dashboard,
download the Unblocked logo for use in your SSO application.

<img src="https://mintcdn.com/unblocked/soZi90zJ9_abJhu-/img/brand/unblocked-512x512.png?fit=max&auto=format&n=soZi90zJ9_abJhu-&q=85&s=1dddee26e2a67f4de23cb62f773c2319" alt="Unblocked Logo" width="50%" data-path="img/brand/unblocked-512x512.png" />