> ## Documentation Index
> Fetch the complete documentation index at: https://forest-chore-open-api.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO Provider Guides

> Configure Single Sign-On with your Identity Provider

Forest supports SAML 2.0 SSO. The configuration is done in two steps:

1. **Declare Forest in your Identity Provider** using the values below
2. **Configure Forest** with your IdP metadata

<Info>
  You must be an Organization Owner to configure it.
</Info>

## Forest SAML settings

Use these values when configuring Forest as a Service Provider in your IdP:

| Setting                | Value                                           |
| ---------------------- | ----------------------------------------------- |
| Callback URL (ACS URL) | `https://api.forestadmin.com/api/saml/callback` |
| Sign on URL            | `https://api.forestadmin.com/api/saml/callback` |
| Logout URL             | `https://app.forestadmin.com/login`             |
| Audience (EntityID)    | Displayed in your Forest Organization settings  |

## Configuration methods

### Option 1: XML metadata (recommended)

Provide either a URL to your IdP's metadata XML endpoint, or upload the metadata XML file. This method supports automatic certificate rotation without service interruption.

### Option 2: Manual input

Enter the following fields manually:

* Login endpoint
* Logout endpoint
* Valid certificate

## Enabling SSO

After configuring and testing your SSO setup, enable it for all users in your Organization settings.

<Danger>
  After enabling SSO, all users will be required to log in again.
</Danger>

## IdP-initiated login (optional)

To allow users to be automatically redirected to Forest from your IdP dashboard, enable **IdP-initiated login** and set a default Relay State on your IdP:

```json theme={null}
{
  "organizationName": "YourOrganizationName",
  "destinationUrl": "organization.projects"
}
```

## Troubleshooting

* Double-check all endpoints and certificate expiration dates
* Ensure the `NameID` configured on your IdP matches the **email address used on Forest accounts**
* Ensure you selected **SAML 2.0** on your IdP

## Provider guides

<CardGroup cols={2}>
  <Card title="Google Workspace" href="/get-started/control/authentication/sso-providers/google" />

  <Card title="Okta" href="/get-started/control/authentication/sso-providers/okta" />

  <Card title="Azure AD" href="/get-started/control/authentication/sso-providers/azure" />

  <Card title="Generic SAML" href="/get-started/control/authentication/sso-providers/generic-saml" />
</CardGroup>
