--- title: Single Sign-On | Keycard description: Configure SSO for your Keycard organization --- Keycard supports any OIDC identity provider, including Okta and Azure Entra ID. Users are automatically provisioned Just-in-Time (JIT) on first login. ## Prerequisites - Admin access to your Keycard organization - Admin access to your identity provider ## Setup ### Step 1: Configure your identity provider - [Okta](#tab-panel-52) - [Azure Entra ID](#tab-panel-53) - [Generic OIDC](#tab-panel-54) 1. In your Okta Admin Console, go to **Applications** > **Create App Integration** 2. Select **OIDC - OpenID Connect** and **Web Application** 3. Configure the application: - **Sign-in redirect URIs**: `https://id.keycard.ai/oauth/2/redirect` 4. Save the **Client ID**, **Client Secret**, and **Issuer** (found in your Okta domain, e.g., `https://your-domain.okta.com`) 1) In the Azure Portal, go to **Microsoft Entra ID** > **App registrations** > **New registration** 2) Configure the application: - **Name**: Choose a name for your app - **Supported account types**: **Accounts in this organizational directory only (Single tenant)** - **Redirect URI**: Select **Web** and enter `https://id.keycard.ai/oauth/2/redirect` 3) After creation, go to **Certificates & secrets** and create a new client secret 4) Save the **Application (client) ID**, **Client Secret**, and **Issuer** (`https://login.microsoftonline.com//v2.0`) Create an OAuth 2.0 / OIDC application in your identity provider with these settings: - **Application type**: Web application - **Redirect URI**: `https://id.keycard.ai/oauth/2/redirect` - **Grant types**: Authorization Code Save the **Client ID**, **Client Secret**, and **Issuer** URL. ### Step 2: Link identity provider to Keycard Configure an SSO connection from your organization’s settings page in the Keycard Console, accessible via the organization switcher at the top of the sidebar, or via the [Keycard Terraform provider](https://registry.terraform.io/providers/keycardai/keycard/latest/docs) with your identity provider’s Issuer URL, Client ID, and Client Secret. ### Step 3: Test authentication 1. Test login through your identity provider dashboard (see [Login from Your Identity Provider](#login-from-your-identity-provider) for setup) 2. Confirm successful login and user creation Your SSO is now configured. Users can login from your identity provider dashboard. ## User Roles and Access When users log in via SSO for the first time, they are automatically provisioned with the **Organization Member** role. This role provides no organization-level access by default. Users must be explicitly granted access to specific zones. To grant SSO users administrator access or assign them to zones, an Organization Administrator using a non-SSO account must update their roles after their first login. See [Roles & Permissions](/admin/roles-and-permissions/index.md) for details on role management. Tip As noted in [Emergency Access](#emergency-access), maintain at least one email/password administrator account (not managed by SSO) for managing SSO user roles and emergency access scenarios. ## Domain Verification (Optional) Domain verification enables a seamless login experience at [console.keycard.ai](https://console.keycard.ai). **Without verification**: Users access Keycard through your identity provider dashboard (Okta tiles, Azure My Apps) **With verification**: Users enter their email at console.keycard.ai and are automatically redirected to your identity provider To request verification, email with your organization name and the domain to verify. Keycard will verify you control the domain before enabling this feature. **After verification**: - Users with your verified email address domain must authenticate through your identity provider - Entering an email with a verified domain automatically redirects to your identity provider *Note: The same domain cannot be reused across multiple organizations.* ### Emergency Access For emergency access when your identity provider is unavailable, administrators can use this URL: ``` https://id.keycard.ai/openid/connect/login?tenant=personal&iss=https://id.keycard.ai&target_link_uri=https://console.keycard.ai ``` This enables non-SSO email/password accounts to authenticate. Note Maintain at least one email/password account (not managed by SSO) in your Keycard organization for emergency access if your identity provider becomes unavailable. ## Login from Your Identity Provider To enable users to login from your identity provider dashboard (Okta tiles, Azure My Apps), configure your identity provider with a login initiation URL. **URL format**: ``` https://id.keycard.ai/openid/connect/login?iss=&target_link_uri=https://console.keycard.ai&tenant= ``` **Parameters**: - `iss`: Your identity provider’s issuer URL - `target_link_uri`: Where to redirect after login (e.g., `https://console.keycard.ai` or a specific page) - `tenant`: Your Keycard organization ID (found in the Console under your organization settings page) * [Okta](#tab-panel-55) * [Azure Entra ID](#tab-panel-56) * [Generic OIDC](#tab-panel-57) In your Okta application settings, set the **Initiate login URI** to: ``` https://id.keycard.ai/openid/connect/login?target_link_uri=https://console.keycard.ai&tenant= ``` Okta automatically includes the `iss` parameter, so you only need to specify `target_link_uri` and `tenant`. Replace `` with your Keycard organization ID. In your Azure application settings, set the **Home page URL** to: ``` https://id.keycard.ai/openid/connect/login?iss=https://login.microsoftonline.com//v2.0&target_link_uri=https://console.keycard.ai&tenant= ``` Replace `` with your Azure tenant ID and `` with your Keycard organization ID. Configure your identity provider’s application launch URL or home page URL to: ``` https://id.keycard.ai/openid/connect/login?iss=&target_link_uri=https://console.keycard.ai&tenant= ``` Replace `` with your identity provider’s issuer URL and `` with your Keycard organization ID.