> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gavai.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SSO)

> Set up SAML SSO for your gavAI workspace

gavAI supports SAML 2.0 SSO on Scale and Enterprise plans. Configure your identity provider once, then your members sign in with their existing corporate credentials.

## Pick your IdP

* [Okta](/integrations/sso/okta)
* [Microsoft Entra ID (Azure AD)](/integrations/sso/entra)
* [Google Workspace](/integrations/sso/google)
* [Generic SAML 2.0](/integrations/sso/generic)

## What gavAI needs from you

After provisioning the IdP-side application, you'll submit three values in `/console/settings/sso/new`:

* **Metadata URL** — the IdP's SAML metadata XML endpoint.
* **Entity ID** — gavAI's SP entity ID (shown in the wizard).
* **Domain(s)** — the email domain(s) your members sign in with (e.g. `acme.com`). gavAI routes those email addresses to your IdP at sign-in.

After you submit, gavAI verifies each domain via a DNS TXT record, then activates SSO.

## What gavAI sends back

Your IdP receives a SAML AuthnRequest with:

* Audience: gavAI's SP entity ID (workspace-scoped).
* NameID format: emailAddress.
* AssertionConsumerService URL: shown in the wizard.

## Just-in-time provisioning

The first time a user signs in via SSO, gavAI creates their account and joins them to the workspace with the default role (`member`). Admins can promote them in `/console/members`.

For automated lifecycle (deprovisioning when an employee leaves), use [SCIM](/integrations/scim) alongside SSO.
