Single sign-on (SSO) lets your team authenticate through your organization's existing identity provider instead of managing separate Wallet-as-a-Service (Palisade) passwords. This guide explains how to configure SSO and manage authentication methods.
The authentication method is permanently locked to each user at invite time. If your organization uses SSO, you must complete this setup before sending any invitations. See Manage users and roles for invitation steps.
Use SSO when your organization:
- Uses a centralized identity provider (Google Workspace, Okta, PingFederate, or another SAML/OIDC provider)
- Requires consistent authentication policies across all internal tools
- Wants to reduce password fatigue for team members
- Needs centralized access revocation when employees leave
Palisade provides built-in support for the following identity providers:
| Provider | Protocol |
|---|---|
| Okta | OIDC |
| ADFS | SAML |
| Entra ID | OIDC |
| Google Workspace | OIDC |
| Keycloak | SAML |
| PingFederate | SAML |
If your provider isn't listed, select Custom SAML or Custom OIDC to configure a connection manually.
- Go to Settings > Security.
- In the Authentication methods section, select Add new method.
- A dialog appears with the heading Create a connection using the link. Palisade generates a one-time setup link.
- Select Create connection. This opens a new browser window with the Auth0-hosted setup assistant. Palisade uses Auth0 as the identity broker, so Auth0 stores the credentials, certificates, and metadata you configure on Palisade's behalf.
- On the Select Your Identity Provider page, choose your provider (or select Custom SAML / Custom OIDC).
The setup link expires after 5 hours, and you can access it a maximum of 10 times. If it expires before you complete the setup, you must create a new authentication method and generate a fresh link.
Each provider has its own configuration steps in the setup assistant. You typically need values from your identity provider, such as a client ID, client secret, domain, or metadata URL. Refer to your provider's documentation for details on creating an SSO application.
After configuring SSO, your new method appears in the Authentication methods table on the Security page. The table shows:
| Column | Description |
|---|---|
| Method | The authentication method name (for example, "Username / Password" or your SSO provider name) |
| Identifier | The connection identifier |
| IDP | The identity provider status (Enabled or Disabled) |
| Action | Actions menu for managing the method |
The default method determines how new users authenticate when you send them an invitation.
- Go to Settings > Security.
- In the Authentication methods table, find the method you want to use as the default.
- Open the Action menu for that method and select Use as default.
New invitations use the default method automatically.
You can temporarily disable an SSO identity provider without removing it:
- Go to Settings > Security.
- In the Authentication methods table, find the SSO method.
- Open the Action menu and select Disable IDP or Enable IDP.
Disabling an identity provider prevents users assigned to that method from signing in. Make sure affected users have an alternative authentication method before you disable their provider.
- Go to Settings > Security.
- In the Authentication methods table, find the method to remove.
- Open the Action menu and select Remove method.
You can't remove the default authentication method or the built-in username/password method. Change the default to a different method first if you need to remove the current default.
- Single sign-on — Reference documentation
- Manage users and roles — Invite users after configuring SSO