# SAML SSO

{% hint style="info" %}
​**Prerequisites for SSO with Birdie:**

* Your company’s identity provider (IdP) must support the **SAML 2.0** standard.
* You must have admin permission on the IdP.
* You must be an admin of the Birdie organization you want to set SAML up on.
* Disable [Two-factor authentication](https://docs.birdie.so/birdie-docs/security/two-factor-authentication) for your Birdie workspace
  {% endhint %}

**SAML-based Single Sign-On** (SSO) gives members access to Birdie through an identity provider (IdP) of your choice.

## ​Setup on Birdie <a href="#setup-on-gitbook" id="setup-on-gitbook"></a>

Once you have configured SSO on your IdP, you can enter metadata. If the setup is successful, administrators will see a confirmation dialog and the URL of the SSO login for end-users will be displayed.&#x20;

Please note that **Birdie does not send announcement emails when the setup is complete**. It is the responsibility of the administrator to notify company employees and provide them with the login URL so they can access Birdie via SSO.

<figure><img src="https://3843507234-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FECPgvsGwy5oMz4WIZw3a%2Fuploads%2FEScryYCR6npUKaztLZgL%2Fsaml%20sso.gif?alt=media&#x26;token=d3a9057b-2018-4dd8-a059-0e8d9cc946ae" alt=""><figcaption><p>Enable SAML-based SSO</p></figcaption></figure>

You'll need the following from your IdP metadata to register a SAML provider:

* A **label** – this can be anything, it'll be displayed on the login page
* A **domain** name&#x20;
* An **entity ID**
* A **Single Sign On URL**
* An **X.509 certificate** – make sure you copy and paste the whole certificate!

## ​Setup on the IdP <a href="#setup-on-the-idp" id="setup-on-the-idp"></a>

To set up Birdie as a service provider, most SAML 2.0 compliant identity providers require specific information. This information is unique to your Birdie account and can be found in [Settings -> Security](https://app.birdie.so/settings/security).

<figure><img src="https://3843507234-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FECPgvsGwy5oMz4WIZw3a%2Fuploads%2Ff0frUq2e9M7U8HNWcGuj%2Fsso%20saml.png?alt=media&#x26;token=0b8d6570-4d68-495e-9150-de389fc46559" alt=""><figcaption></figcaption></figure>

Most of these values can be copied directly into your IdP to complete configuration of SAML.

Birdie requires that the **NameID** contain the user’s email address. Technically we are looking for: <mark style="color:orange;">`urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`</mark> as the Name-ID format – many providers (such as Google) will allow you set a format such as **EMAIL**.

### Custom Attributes

Birdie will pull the following custom attributes from the SAML assert response and use them when creating the user.

| Field        | Description                                                                                             |
| ------------ | ------------------------------------------------------------------------------------------------------- |
| `first_name` | `first_name` and `last_name` fields will be combined to produce the display name for the user in Birdie |
| `last_name`  | `first_name` and `last_name` fields will be combined to produce the display name for the user in Birdie |

## ​Creating end-user accounts <a href="#creating-end-user-account" id="creating-end-user-account"></a>

To add members, create accounts for them in your IdP. The first time a new member logs in to Birdie via the IdP, a Birdie account will be automatically created for them through IdP provisioning.&#x20;

{% hint style="danger" %}
Set-up requires lowercase email addresses. Do not use mixed-case email addresses.‌
{% endhint %}

By default, members are added with the role agent. If you want a member to be an admin, you need to change their role via the Birdie [team members page](https://app.birdie.so/team).

## ​Removing accounts <a href="#removing-end-user-accounts" id="removing-end-user-accounts"></a>

When you remove a member from the Identity Provider (IdP), they will no longer be able to sign in to their corresponding Birdie account. However, **this action will not delete the account from Birdie**. To prevent further cookie-based access, we recommend that you manually remove the account from the member list in your [Birdie Team settings page](https://app.birdie.so/team).

## ​Security notice <a href="#security-notice" id="security-notice"></a>

For security reasons, users who signed up for Birdie before the SSO was set up will need to log in using SSO. \
Also please note that activating your own SSO will prevent users to sign-in with our generic Birdie default Google Sign-in button. &#x20;