> ## Documentation Index
> Fetch the complete documentation index at: https://developers.firmly.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Authenticate firmly Connect Dashboard users through your own Identity Provider.

<Info>
  **Centralize dashboard access in your Identity Provider.** Configure firmly Connect to delegate sign-in to any OpenID Connect or SAML 2.0 IdP, scoped per email domain you own.
</Info>

## What you get

<CardGroup cols={3}>
  <Card title="Centralized Identity" icon="users">
    Your team logs in to firmly Connect using the same Identity Provider they already use everywhere else.
  </Card>

  <Card title="Per-Domain Control" icon="globe">
    Each verified email domain has its own IdP configuration. Different domains can use different IdPs.
  </Card>

  <Card title="Strict Enforcement" icon="lock">
    When SSO enforcement is enabled for a domain, OTP and magic-link login are blocked — every user on that domain must authenticate through your IdP.
  </Card>
</CardGroup>

## How SSO works

Setting up SSO is a four-stage flow. You verify ownership of a domain, configure an Identity Provider, bind the IdP to the verified domain, and finally turn on enforcement.

```mermaid theme={null}
graph LR
    A[Register Domain] --> B[Verify Ownership<br/>via DNS TXT]
    B --> C[Configure IdP<br/>OIDC or SAML]
    C --> D[Bind IdP<br/>to Domain]
    D --> E[Enforce SSO<br/>per Domain]
```

You **must** verify the domain *and* bind it to an enabled IdP before the **SSO Enforced** toggle becomes available. This prevents an organization from locking itself out of an unverified domain or a domain with no working IdP.

## Per-domain enforcement

Enforcement is scoped to one verified email domain at a time — it is never global. Turning **SSO Enforced** on for `acme.com` does **not** affect users on any other domain.

When enforcement is on for a domain:

* Every user whose email belongs to that domain must complete an SSO sign-in through the bound IdP.
* One-time-passcode (OTP) and magic-link logins are **blocked** for that domain. There is no bypass.
* Users on other (unenforced) domains are unaffected and can continue to log in via OTP or magic link.

You can step back from enforcement without deleting any configuration:

* **Disable the IdP** — the **Enabled** toggle on the IdP form turns enforcement off everywhere it is bound, while preserving the IdP configuration.
* **Toggle SSO Enforced off** on a specific domain — users on that domain regain OTP / magic-link access.

<Warning>
  Once enforcement is on for a domain, users on that domain who are not provisioned (or not reachable) through the bound IdP will lose dashboard access. Always run a successful **Test Connection** on the IdP, and try a real SSO sign-in, **before** turning the **SSO Enforced** toggle on.
</Warning>

## Supported protocols

<CardGroup cols={2}>
  <Card title="Generic OpenID Connect" icon="fingerprint" href="/firmly-connect/sso/generic-oidc">
    Connect any OIDC-compliant Identity Provider — Okta, Microsoft Entra ID, Google, Auth0, Keycloak, and more.
  </Card>

  <Card title="Generic SAML 2.0" icon="shield" href="/firmly-connect/sso/generic-saml">
    Connect any SAML 2.0-compliant Identity Provider, with optional one-click setup via IdP metadata XML.
  </Card>
</CardGroup>

<Note>
  Provider-specific templates (Okta, Microsoft Entra ID, Google Workspace, Auth0, OneLogin) appear in the IdP picker as **Coming Soon** and are not yet selectable. Use the Generic OIDC or Generic SAML guide above — both protocols are fully supported with any compliant provider.
</Note>

## Setup checklist

<Steps>
  <Step title="Verify a domain">
    Add an email domain in **Settings → Domains** and prove ownership by publishing a DNS TXT record. See [Verify a Domain](/firmly-connect/sso/domain-verification).
  </Step>

  <Step title="Add an Identity Provider">
    Open **Settings → Single Sign-On**, click **Add Identity Provider**, and choose [Generic OIDC](/firmly-connect/sso/generic-oidc) or [Generic SAML 2.0](/firmly-connect/sso/generic-saml).
  </Step>

  <Step title="Bind the IdP to your verified domains">
    On the IdP configuration form, select one or more verified domains under **Authorized Domains**. At least one domain must be bound before the IdP can be enabled.
  </Step>

  <Step title="Enable the IdP and test the connection">
    Turn the **Enabled** toggle on, then click **Test Connection** to perform a live round trip through your IdP. Confirm the test succeeds before moving on.
  </Step>

  <Step title="Enforce SSO on the domain">
    Return to **Settings → Domains** and turn the **SSO Enforced** toggle on for each domain you want to lock down. See [enforcement details](/firmly-connect/sso/domain-verification#enforce-sso-for-the-domain).
  </Step>
</Steps>

## Next steps

<CardGroup cols={2}>
  <Card title="Verify a Domain" icon="at" href="/firmly-connect/sso/domain-verification">
    Register and prove ownership of an email domain.
  </Card>

  <Card title="Configure Generic OIDC" icon="fingerprint" href="/firmly-connect/sso/generic-oidc">
    Set up an OpenID Connect Identity Provider.
  </Card>

  <Card title="Configure Generic SAML" icon="shield" href="/firmly-connect/sso/generic-saml">
    Set up a SAML 2.0 Identity Provider.
  </Card>
</CardGroup>