# Configure single sign-on (SSO) Single sign-on (SSO) lets your team authenticate through your organization's existing identity provider instead of managing separate Wallet-as-a-Service (Palisade) passwords. This guide explains how to configure SSO and manage authentication methods. Configure SSO before inviting users The authentication method is permanently locked to each user at invite time. If your organization uses SSO, you must complete this setup **before** sending any invitations. See [Manage users and roles](/products/wallet/admin-guide/manage-users-and-roles) for invitation steps. ## When to use SSO Use SSO when your organization: - Uses a centralized identity provider (Google Workspace, Okta, PingFederate, or another SAML/OIDC provider) - Requires consistent authentication policies across all internal tools - Wants to reduce password fatigue for team members - Needs centralized access revocation when employees leave ## Supported identity providers Palisade provides built-in support for the following identity providers: | Provider | Protocol | | --- | --- | | **Okta** | OIDC | | **ADFS** | SAML | | **Entra ID** | OIDC | | **Google Workspace** | OIDC | | **Keycloak** | SAML | | **PingFederate** | SAML | If your provider isn't listed, select **Custom SAML** or **Custom OIDC** to configure a connection manually. ## Configure an SSO connection 1. Go to **Settings** > **Security**. 2. In the **Authentication methods** section, select **Add new method**. 3. A dialog appears with the heading **Create a connection using the link**. Palisade generates a one-time setup link. 4. Select **Create connection**. This opens a new browser window with the Auth0-hosted setup assistant. Palisade uses Auth0 as the identity broker, so Auth0 stores the credentials, certificates, and metadata you configure on Palisade's behalf. 5. On the **Select Your Identity Provider** page, choose your provider (or select Custom SAML / Custom OIDC). Setup link expiry The setup link expires after **5 hours**, and you can access it a maximum of **10 times**. If it expires before you complete the setup, you must create a new authentication method and generate a fresh link. Provider-specific setup Each provider has its own configuration steps in the setup assistant. You typically need values from your identity provider, such as a client ID, client secret, domain, or metadata URL. Refer to your provider's documentation for details on creating an SSO application. ## Manage authentication methods After configuring SSO, your new method appears in the **Authentication methods** table on the Security page. The table shows: | Column | Description | | --- | --- | | **Method** | The authentication method name (for example, "Username / Password" or your SSO provider name) | | **Identifier** | The connection identifier | | **IDP** | The identity provider status (Enabled or Disabled) | | **Action** | Actions menu for managing the method | ### Set the default authentication method The default method determines how new users authenticate when you send them an invitation. 1. Go to **Settings** > **Security**. 2. In the **Authentication methods** table, find the method you want to use as the default. 3. Open the **Action** menu for that method and select **Use as default**. New invitations use the default method automatically. ### Enable or disable an identity provider You can temporarily disable an SSO identity provider without removing it: 1. Go to **Settings** > **Security**. 2. In the **Authentication methods** table, find the SSO method. 3. Open the **Action** menu and select **Disable IDP** or **Enable IDP**. Impact of disabling Disabling an identity provider prevents users assigned to that method from signing in. Make sure affected users have an alternative authentication method before you disable their provider. ### Remove an authentication method 1. Go to **Settings** > **Security**. 2. In the **Authentication methods** table, find the method to remove. 3. Open the **Action** menu and select **Remove method**. Restrictions You can't remove the default authentication method or the built-in username/password method. Change the default to a different method first if you need to remove the current default. ## Related guides - [Single sign-on](/products/wallet/user-interface/users-and-roles/single-sign-on) — Reference documentation - [Manage users and roles](/products/wallet/admin-guide/manage-users-and-roles) — Invite users after configuring SSO