# SSO

## Configure SSO

SSO allows you to easily authenticate content authors. You configure SSO using the Web UI.

{% hint style="info" %}
SSO is currently limited to organizations that create and manage Instruqt content. End-user authentication (for learners) is on the product roadmap.
{% endhint %}

{% hint style="info" %}
Callback URL that should be configured on the identity provider: <https://sso.play.instruqt.com/login/callback>
{% endhint %}

{% tabs %}
{% tab title="🌐 Web UI" %}

1. Navigate to **Team Settings** → **SSO**.
2. Select the applicable SSO provider for your team. Please contact the support team if the provider used by your team is not available.
3. Upon selecting a provider a drawer will appear for you to fill in the data related to your connection. In this example we are using **Google Workspace**. The values for **Domain**, **Client ID** and **Client Secret** must be obtained from your provider.<br>

   <figure><img src="https://2094212015-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MGJDYBXyftBAZb1Wq0e%2Fuploads%2FpS1U14EcFVn1kW4I3nEY%2FScreenshot%202023-07-10%20at%2011.51.20.png?alt=media&#x26;token=6196a997-4011-4d96-974e-4fa5b61215e6" alt=""><figcaption></figcaption></figure>
4. After setting up the provider the URL provided in the management page will work for all team members. Clicking the link will copy it to your clipboard.\
   example login URL: `https://play.instruqt.com/{team-name}/login`
5. Upon navigating to the login URL users will get prompted to authenticate through the configured provider of your team.

{% hint style="info" %}
Users are automatically assigned to the team the they authenticate with. A user that wasn't part of the team yet will be assigned the **Member** role within that team.
{% endhint %}
{% endtab %}
{% endtabs %}

***

## FAQ

<details>

<summary>Can I swap my SSO Providers?</summary>

Yes. We use the returned email address from the SSO provider as the identity of the user. If the new SSO provider returns the same email for the same user, then the accounts to stay the same inside of Instruqt.

Please contact our support if you need further guidance and/or would like to test this.

</details>

<details>

<summary>Are users provisioned on demand?</summary>

Yes. At present all users are created with the role "Member" when logging in with SSO and when a matching email cannot be found.

</details>

<details>

<summary>Is de-provisioning supported?</summary>

Not at this time. If your use case requires de-provisioning, we encourage you to contact our support team and share your request with us.

</details>