---
title: "How to Setup SSO"
description: "Configure Single Sign-On (SSO) to enable secure, centralized authentication for your Activepieces platform"
icon: 'key'
---
## Overview
Single Sign-On (SSO) allows your team to authenticate using your organization's existing identity provider, eliminating the need for separate Activepieces credentials. This improves security, simplifies user management, and provides a seamless login experience.
## Prerequisites
Before configuring SSO, ensure you have:
- **Admin access** to your Activepieces platform
- **Admin access** to your identity provider (Google, GitHub, Okta, or JumpCloud)
- The **redirect URL** from your Activepieces SSO configuration screen
## Accessing SSO Configuration
Navigate to **Platform Settings** → **SSO** in your Activepieces admin dashboard to access the SSO configuration screen.
## Enforcing SSO
You can enforce SSO by specifying your organization's email domain. When SSO enforcement is enabled:
- Users with matching email domains must authenticate through the SSO provider
- Email/password login can be disabled for enhanced security
- All authentication is routed through your designated identity provider
We recommend testing SSO with a small group of users before enforcing it organization-wide.
## Supported SSO Providers
Activepieces supports multiple SSO providers to integrate with your existing identity management system.
### Google
Go to the [Google Cloud Console](https://console.cloud.google.com/) and select your project (or create a new one).
Navigate to **APIs & Services** → **Credentials** → **Create Credentials** → **OAuth client ID**.
Select **Web application** as the application type.
Copy the **Redirect URL** from the Activepieces SSO configuration screen and add it to the **Authorized redirect URIs** in Google Cloud Console.
Copy the **Client ID** and **Client Secret** from Google and paste them into the corresponding fields in Activepieces.
Click **Finish** to complete the setup.
### GitHub
Go to [GitHub Developer Settings](https://github.com/settings/developers) → **OAuth Apps** → **New OAuth App**.
Fill in the application details:
- **Application name**: Choose a recognizable name (e.g., "Activepieces SSO")
- **Homepage URL**: Enter your Activepieces instance URL
Copy the **Redirect URL** from the Activepieces SSO configuration screen and paste it into the **Authorization callback URL** field.
Click **Register application** to create the OAuth App.
After registration, click **Generate a new client secret** and copy it immediately (it won't be shown again).
Copy the **Client ID** and **Client Secret** and paste them into the corresponding fields in Activepieces.
Click **Finish** to complete the setup.
### SAML with Okta
Go to the [Okta Admin Portal](https://login.okta.com/) → **Applications** → **Create App Integration**.
Choose **SAML 2.0** as the sign-on method and click **Next**.
Enter an **App name** (e.g., "Activepieces") and optionally upload a logo. Click **Next**.
- **Single sign-on URL**: Copy the SSO URL from the Activepieces configuration screen
- **Audience URI (SP Entity ID)**: Enter `Activepieces`
- **Name ID format**: Select `EmailAddress`
Add the following attribute mappings:
| Name | Value |
|------|-------|
| `firstName` | `user.firstName` |
| `lastName` | `user.lastName` |
| `email` | `user.email` |
Click **Next**, select the appropriate feedback option, and click **Finish**.
Go to the **Sign On** tab → **View SAML setup instructions** or **View IdP metadata**. Copy the Identity Provider metadata XML.
- Paste the **IdP Metadata** XML into the corresponding field
- Copy the **X.509 Certificate** from Okta and paste it into the **Signing Key** field
Click **Save** to complete the setup.
### SAML with JumpCloud
Go to the [JumpCloud Admin Portal](https://console.jumpcloud.com/) → **SSO Applications** → **Add New Application** → **Custom SAML App**.
Copy the **ACS URL** from the Activepieces configuration screen and paste it into the **ACS URLs** field in JumpCloud.
Set the **SP Entity ID** (Audience URI) to `Activepieces`.
Configure the following attribute mappings:
| Service Provider Attribute | JumpCloud Attribute |
|---------------------------|---------------------|
| `firstName` | `firstname` |
| `lastName` | `lastname` |
| `email` | `email` |
JumpCloud does not include the `HTTP-Redirect` binding by default. You **must** enable this option.
Without HTTP-Redirect binding, the SSO integration will not work correctly.
Click **Save**, then refresh the page and click **Export Metadata**.
Verify that the exported XML contains `Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"` to ensure the binding was properly enabled.
Paste the exported metadata XML into the **IdP Metadata** field in Activepieces.
Locate the `` element in the IdP metadata and extract its value. Format it as a PEM certificate:
```
-----BEGIN CERTIFICATE-----
[PASTE THE CERTIFICATE VALUE HERE]
-----END CERTIFICATE-----
```
Paste this into the **Signing Key** field.
In JumpCloud, assign the application to the appropriate users or user groups.
Click **Finish** to complete the setup.
## Troubleshooting
- Verify the redirect URL is correctly configured in your identity provider
- Ensure users are assigned to the application in your identity provider
- Check that email domains match the SSO enforcement settings
- Confirm the IdP metadata is complete and correctly formatted
- Verify the signing certificate is properly formatted with BEGIN/END markers
- Ensure all required attributes (firstName, lastName, email) are mapped
- Enable the HTTP-Redirect binding option in JumpCloud
- Re-export the metadata after enabling the binding
- Verify the binding appears in the exported XML
## Need Help?
If you encounter issues during SSO setup, please contact our enterprise support or [sales team](https://www.activepieces.com/sales).