{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-products/wallet/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"type":"markdown"},"seo":{"title":"Configure single sign-on (SSO)","description":"User guides, API reference, and support resources.","siteUrl":"https://docs.ripple.com","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"configure-single-sign-on-sso","__idx":0},"children":["Configure single sign-on (SSO)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Single sign-on (SSO) lets your team authenticate through your organization's existing identity provider instead of managing separate Wallet-as-a-Service (Palisade) passwords. This guide explains how to configure SSO and manage authentication methods."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Configure SSO before inviting users"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The authentication method is permanently locked to each user at invite time. If your organization uses SSO, you must complete this setup ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["before"]}," sending any invitations. See ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/admin-guide/manage-users-and-roles"},"children":["Manage users and roles"]}," for invitation steps."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"when-to-use-sso","__idx":1},"children":["When to use SSO"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Use SSO when your organization:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Uses a centralized identity provider (Google Workspace, Okta, PingFederate, or another SAML/OIDC provider)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Requires consistent authentication policies across all internal tools"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Wants to reduce password fatigue for team members"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Needs centralized access revocation when employees leave"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"supported-identity-providers","__idx":2},"children":["Supported identity providers"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Palisade provides built-in support for the following identity providers:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Provider"},"children":["Provider"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Protocol"},"children":["Protocol"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Okta"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["OIDC"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["ADFS"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["SAML"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Entra ID"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["OIDC"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Google Workspace"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["OIDC"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Keycloak"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["SAML"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PingFederate"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["SAML"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If your provider isn't listed, select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Custom SAML"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Custom OIDC"]}," to configure a connection manually."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"configure-an-sso-connection","__idx":3},"children":["Configure an SSO connection"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Security"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication methods"]}," section, select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add new method"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A dialog appears with the heading ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create a connection using the link"]},". Palisade generates a one-time setup link."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create connection"]},". This opens a new browser window with the Auth0-hosted setup assistant. Palisade uses Auth0 as the identity broker, so Auth0 stores the credentials, certificates, and metadata you configure on Palisade's behalf."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["On the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Select Your Identity Provider"]}," page, choose your provider (or select Custom SAML / Custom OIDC)."]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Setup link expiry"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The setup link expires after ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["5 hours"]},", and you can access it a maximum of ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["10 times"]},". If it expires before you complete the setup, you must create a new authentication method and generate a fresh link."]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Provider-specific setup"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Each provider has its own configuration steps in the setup assistant. You typically need values from your identity provider, such as a client ID, client secret, domain, or metadata URL. Refer to your provider's documentation for details on creating an SSO application."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"manage-authentication-methods","__idx":4},"children":["Manage authentication methods"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After configuring SSO, your new method appears in the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication methods"]}," table on the Security page. The table shows:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Column"},"children":["Column"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Method"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The authentication method name (for example, \"Username / Password\" or your SSO provider name)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identifier"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The connection identifier"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["IDP"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The identity provider status (Enabled or Disabled)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Action"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Actions menu for managing the method"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"set-the-default-authentication-method","__idx":5},"children":["Set the default authentication method"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The default method determines how new users authenticate when you send them an invitation."]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Security"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication methods"]}," table, find the method you want to use as the default."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Open the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Action"]}," menu for that method and select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Use as default"]},"."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["New invitations use the default method automatically."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"enable-or-disable-an-identity-provider","__idx":6},"children":["Enable or disable an identity provider"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can temporarily disable an SSO identity provider without removing it:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Security"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication methods"]}," table, find the SSO method."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Open the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Action"]}," menu and select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Disable IDP"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Enable IDP"]},"."]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Impact of disabling"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Disabling an identity provider prevents users assigned to that method from signing in. Make sure affected users have an alternative authentication method before you disable their provider."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"remove-an-authentication-method","__idx":7},"children":["Remove an authentication method"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Security"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication methods"]}," table, find the method to remove."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Open the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Action"]}," menu and select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Remove method"]},"."]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Restrictions"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can't remove the default authentication method or the built-in username/password method. Change the default to a different method first if you need to remove the current default."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"related-guides","__idx":8},"children":["Related guides"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/user-interface/users-and-roles/single-sign-on"},"children":["Single sign-on"]}," — Reference documentation"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/products/wallet/admin-guide/manage-users-and-roles"},"children":["Manage users and roles"]}," — Invite users after configuring SSO"]}]}]},"headings":[{"value":"Configure single sign-on (SSO)","id":"configure-single-sign-on-sso","depth":1},{"value":"When to use SSO","id":"when-to-use-sso","depth":2},{"value":"Supported identity providers","id":"supported-identity-providers","depth":2},{"value":"Configure an SSO connection","id":"configure-an-sso-connection","depth":2},{"value":"Manage authentication methods","id":"manage-authentication-methods","depth":2},{"value":"Set the default authentication method","id":"set-the-default-authentication-method","depth":3},{"value":"Enable or disable an identity provider","id":"enable-or-disable-an-identity-provider","depth":3},{"value":"Remove an authentication method","id":"remove-an-authentication-method","depth":3},{"value":"Related guides","id":"related-guides","depth":2}],"frontmatter":{"title":"Configure single sign-on (SSO)","seo":{"title":"Configure single sign-on (SSO)"}},"lastModified":"2026-05-26T12:21:11.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/products/wallet/admin-guide/configure-sso","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}