# SAML 2.0 Configuration

> You need to [**activate**](/enterprise-platform/access-management/manage-organizations.md#activating-an-organization) your organization before you proceed with custom IDP SSO setup.

## SAML identity provider

When you will visit **Organization Settings** page on [Dashboard](https://docs.verygoodsecurity.com/card-management) you will find main VGS service provider details, needed for SAML identity providers configurations like *Okta*, Google etc

* **ACS URL** - VGS service provider endpoint (URL) that is responsible for receiving and parsing a SAML assertion. Keep in mind that some identity providers use a different term for the ACS.
* **ENTITY ID** - a globally unique name for VGS Service Provider (SP).
* **LOGIN URL** - you will use this url to login to Dashboard with your identity provider.
* **METADATA URL** - a set of information supplied by the IdP to our SP, and/or vice versa, in xml format. This needs to be provided to VGS.

<figure><img src="/files/ODGZYD9KpbuV1ZwActJo" alt=""><figcaption></figcaption></figure>

> If your identity provider does not provide **METADATA URL**, you should contact our support [support@vgs.io](mailto:support@verygoodsecurity.com) and provide your IDP configuration details.

## Integration

You can configure any identity provider that support SAML 2.0. Also you can use one of the manuals listed below:

* [Okta](/enterprise-platform/access-management/enterprise-identity-providers/okta.md)
* [Google Workspace](/enterprise-platform/access-management/enterprise-identity-providers/google-workspace.md)
* [Azure Active Directory](/enterprise-platform/access-management/enterprise-identity-providers/azure-active-directory.md)

When you configured your IDP, you need to copy and paste **METADATA URL** and press `Save`. After that, you need to enable **SAML SSO** login with toggle to start using it.&#x20;

<figure><img src="/files/looHoaQDqdwS1yijfDE7" alt=""><figcaption></figcaption></figure>

> After you've enabled **SAML SSO Login** you will be able to login to Dashboard via **LOGIN URL**.

## Verify SSO

1. Open the **LOGIN URL** that you copy on **Organization Settings**. It should automatically redirect you to the IDP sign-in page.
2. Enter your username and password. After a successful authentication, you will be redirected back to VGS Dashboard.

## Restricting access to SSO-only logins

Only users logging in with your configured IDP will be able to access your organization. Users logging in with username/password, or with a different IDP, will be prevented access to your organization.

To enable **SSO-only** login you need to follow these simple steps:

* Login with your IDP via **LOGIN URL**.
* Enable `Require organization members to sign in using SAML SSO` toggle on **Organization Settings** page.&#x20;

  <figure><img src="/files/stSrdgu4mJJh84YLSSpS" alt=""><figcaption></figcaption></figure>
* Now access to your organization is restricted to only those users that have logged in using your IDP via **LOGIN URL**.

> You may want to use this feature to be sure that removed users from your IDP can not see Organization details anymore.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.verygoodsecurity.com/enterprise-platform/access-management/enterprise-identity-providers/saml-2.0-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.