> ## Documentation Index
> Fetch the complete documentation index at: https://docs.junojourney.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO & SAML

> Single Sign-On configuration — connect Juno to your identity provider.

export const InternalNote = ({children}) => {
  const [isInternal, setIsInternal] = useState(false);
  useEffect(() => {
    const user = window.__mintlify_user__;
    if (user?.groups?.includes("internal")) setIsInternal(true);
  }, []);
  if (!isInternal) return null;
  return <div className="internal-note">
      <strong className="internal-note-title">🔒 Internal Note</strong>
      <div>{children}</div>
    </div>;
};

## What is SSO?

**Single Sign-On (SSO)** lets your employees log into Juno using their existing company credentials — no separate Juno password needed. Juno supports SAML 2.0 SSO with any compatible identity provider.

***

## Supported providers

Juno works with any SAML 2.0 identity provider, including:

* **Okta**
* **Microsoft Azure AD / Entra ID**
* **Google Workspace**
* **OneLogin**
* **Any SAML 2.0 compliant IdP**

***

## How it works for users

1. Navigate to your organization's Juno URL
2. Click **Sign in with SSO** (or your provider name)
3. You're redirected to your company's identity provider
4. Authenticate with your company credentials
5. You're redirected back to Juno — logged in

No separate password needed. Your Juno account is linked to your company identity.

***

## Setting up SSO (admins)

Configure SSO at **Admin → Security → SSO Settings**:

1. **Get your IdP metadata** — download SAML metadata from your identity provider
2. **Configure in Juno**:
   * **Entry Point** — your IdP's SSO URL
   * **Certificate** — IdP's signing certificate (PEM format, without headers)
   * **Issuer** — Juno's entity ID (provided to your IdP)
   * **Callback URL** — where the IdP sends the SAML assertion back
3. **Set attribute mapping** — map IdP fields to Juno fields (email, first name, last name)
4. **Test** — try logging in with a non-admin account before rolling out

<InternalNote>
  SAML config stored in `TenantAuth.saml`. Key fields: `cert`, `entryPoint`, `issuer`, `callbackUrl`, `attributesMapping`, `logoutUrl`. Enable `logProfile: true` to log full SAML assertions for debugging. The tenant ID in SAML config must exactly match the Firebase tenant ID and MongoDB org slug. Role mapping: if IdP sends `Juno.admin` in attributes, user gets Admin role (5). See [SSO Troubleshooting runbook](/internal/runbooks/sso-troubleshooting) for diagnosis flow.
</InternalNote>

***

## Auto-provisioning

When SSO is configured with allowed email domains, new users who authenticate via SSO are automatically provisioned in Juno with the default Learner role. No manual account creation needed.

***

## Troubleshooting

For SSO login failures, see [Login Issues](/troubleshooting/login-issues#sso-login-fails-or-redirects-to-an-error-page).
