# SAML {% hint style="danger" %} Please note: if OIDC mode has ben configured before, you must **reset the Client ID field to**** ****`0`**** ****in the OIDC tab and save** before proceeding.

Failure to do so will prevent proper SAML configuration. This behavior is known and will be addressed in future releases. {% endhint %} {% tabs %} {% tab title="General configuration" %} ### Configure CISO Assistant with SAML Once you've retrieved the **IdP Entity ID,** the **Metadata URL** and the **Entity ID** from your provider (see the list of providers for specific details), the configuration on CISO Assistant is pretty simple. 1. Log in into CISO Assistant as an **administrator > Extra > Settings**

2. **Enable SSO**

3. Enter the **Idp Entity ID**

4. Choose the option 1 or 2 depending of your provider and fill **Metadata URL** or **SSO URL**, **SLO URL**, **x509 certificate** retrieved from your provider

5. Check that the **SP Entity ID** is similar to the **Entity/Client ID** specified on your provider

6. And that's it! Don't forget to save changes 7. You should now be able to see the **Login with SSO** button

{% endtab %} {% tab title="Advanced settings" %} * **Allow single label domains**: This allows you to authenticate through SAML on a single-label domain (e.g. `https://ciso-assistant:8443`). If this is left unchecked, the only host forms allowed are: * IPv4 * IPv6 * FQDN (e.g. ) * `localhost` * **Authn request signed**: allows the Service Provider (SP) to digitally sign the SAML authentication request sent to the Identity Provider (IdP). This option should be enabled if your IdP requires signed authentication requests or if you are looking to enforce additional security on SAML authentication flows:

{% endtab %} {% endtabs %} {% hint style="warning" %} Be aware that the user needs to be created on CISO Assistant to be authenticated with SSO. {% endhint %}