> ## Documentation Index
> Fetch the complete documentation index at: https://forest-chore-open-api.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Generic SAML 2.0 SSO

> Configure SSO with any SAML 2.0-compatible Identity Provider

Forest supports any Identity Provider that implements the SAML 2.0 specification.

<Info>
  You must be an Organization Owner.
</Info>

## Step 1: Configure your Identity Provider

Declare Forest as a Service Provider in your IdP using these values:

| Setting                | Value                                           |
| ---------------------- | ----------------------------------------------- |
| Callback URL / ACS URL | `https://api.forestadmin.com/api/saml/callback` |
| Sign on URL            | `https://api.forestadmin.com/api/saml/callback` |
| Logout URL             | `https://app.forestadmin.com/login`             |
| Audience (EntityID)    | Displayed in your Forest Organization settings  |

## Step 2: Configure Forest

In your Organization settings → **Security** tab, configure Forest with your IdP's information.

**Option 1: XML metadata endpoint (recommended)**

Provide the URL to your IdP's metadata XML endpoint. This supports automatic certificate rotation without service interruption.

**Option 2: XML file upload**

Upload the metadata XML file generated by your IdP.

**Option 3: Manual input**

Enter manually:

* Login endpoint
* Logout endpoint
* Valid certificate

## Step 3: Test and enable

Click **"Test configuration"** to verify authentication works. Once confirmed, enable SSO for all users.

<Danger>
  After enabling SSO, all users will be required to log in again.
</Danger>

## IdP-initiated login (optional)

Enable **IdP-initiated login** to allow users to be redirected to Forest directly from your IdP dashboard. Set this Relay State on your IdP:

```json theme={null}
{
  "organizationName": "YourOrganizationName",
  "destinationUrl": "organization.projects"
}
```

## Troubleshooting

* Double-check all endpoints and certificate expiration dates
* Ensure the `NameID` in your IdP is set to the **email address used on Forest accounts**
* Ensure your IdP is configured for **SAML 2.0**

If you can't resolve the issue, ask for help on the [Forest Community Forum](https://community.forestadmin.com).
