# SAML SSO

{% hint style="info" %}
​**Prerequisites for SSO with Birdie:**

* Your company’s identity provider (IdP) must support the **SAML 2.0** standard.
* You must have admin permission on the IdP.
* You must be an admin of the Birdie organization you want to set SAML up on.
* Disable [Two-factor authentication](/birdie-docs/security/two-factor-authentication.md) for your Birdie workspace
  {% endhint %}

**SAML-based Single Sign-On** (SSO) gives members access to Birdie through an identity provider (IdP) of your choice.

## ​Setup on Birdie <a href="#setup-on-gitbook" id="setup-on-gitbook"></a>

Once you have configured SSO on your IdP, you can enter metadata. If the setup is successful, administrators will see a confirmation dialog and the URL of the SSO login for end-users will be displayed.&#x20;

Please note that **Birdie does not send announcement emails when the setup is complete**. It is the responsibility of the administrator to notify company employees and provide them with the login URL so they can access Birdie via SSO.

<figure><img src="/files/GiVAUrKQg1h05EprcI2V" alt=""><figcaption><p>Enable SAML-based SSO</p></figcaption></figure>

You'll need the following from your IdP metadata to register a SAML provider:

* A **label** – this can be anything, it'll be displayed on the login page
* A **domain** name&#x20;
* An **entity ID**
* A **Single Sign On URL**
* An **X.509 certificate** – make sure you copy and paste the whole certificate!

## ​Setup on the IdP <a href="#setup-on-the-idp" id="setup-on-the-idp"></a>

To set up Birdie as a service provider, most SAML 2.0 compliant identity providers require specific information. This information is unique to your Birdie account and can be found in [Settings -> Security](https://app.birdie.so/settings/security).

<figure><img src="/files/aklPrPv48nPW6DooYRX6" alt=""><figcaption></figcaption></figure>

Most of these values can be copied directly into your IdP to complete configuration of SAML.

Birdie requires that the **NameID** contain the user’s email address. Technically we are looking for: <mark style="color:orange;">`urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`</mark> as the Name-ID format – many providers (such as Google) will allow you set a format such as **EMAIL**.

### Custom Attributes

Birdie will pull the following custom attributes from the SAML assert response and use them when creating the user.

| Field        | Description                                                                                             |
| ------------ | ------------------------------------------------------------------------------------------------------- |
| `first_name` | `first_name` and `last_name` fields will be combined to produce the display name for the user in Birdie |
| `last_name`  | `first_name` and `last_name` fields will be combined to produce the display name for the user in Birdie |

## ​Creating end-user accounts <a href="#creating-end-user-account" id="creating-end-user-account"></a>

To add members, create accounts for them in your IdP. The first time a new member logs in to Birdie via the IdP, a Birdie account will be automatically created for them through IdP provisioning.&#x20;

{% hint style="danger" %}
Set-up requires lowercase email addresses. Do not use mixed-case email addresses.‌
{% endhint %}

By default, members are added with the role agent. If you want a member to be an admin, you need to change their role via the Birdie [team members page](https://app.birdie.so/team).

## ​Removing accounts <a href="#removing-end-user-accounts" id="removing-end-user-accounts"></a>

When you remove a member from the Identity Provider (IdP), they will no longer be able to sign in to their corresponding Birdie account. However, **this action will not delete the account from Birdie**. To prevent further cookie-based access, we recommend that you manually remove the account from the member list in your [Birdie Team settings page](https://app.birdie.so/team).

## ​Security notice <a href="#security-notice" id="security-notice"></a>

For security reasons, users who signed up for Birdie before the SSO was set up will need to log in using SSO. \
Also please note that activating your own SSO will prevent users to sign-in with our generic Birdie default Google Sign-in button. &#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.birdie.so/birdie-docs/security/saml-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.