# SSO Setup

BalkanID makes it easy to integrate Single Sign-On (SSO) with your existing Identity Provider (IdP), helping you streamline authentication and improve security across your organization. By connecting your Identity Provider, you can centralize authentication, reduce password-related risks, and provide a seamless login experience for your users.

We support a wide range of industry-standard IdPs **out of the box**. Whether you're using a popular cloud IdP like Okta or Azure Entra ID, or a custom in-house solution that supports SAML or OIDC, BalkanID offers flexible support to meet your needs.

<figure><img src="/files/tyAe5csG4GsJLn5ev7e0" alt=""><figcaption></figcaption></figure>

### Supported Identity Providers

BalkanID currently supports the following IdPs:

* Auth0
* Azure EntraID
* Classlink
* Cyberark
* Descope
* Duo
* Google Workspace
* Jumpcloud
* Keycloak
* Lastpass
* Microsoft AD FS
* miniOrange
* Okta
* Onelogin
* PingOne
* PingFederate
* Salesforce

Each of these providers can be configured to enable secure, seamless SSO login for your users within BalkanID.

#### Don’t See Your IdP?

If your Identity Provider isn’t listed above, no problem! BalkanID also supports any **custom SAML 2.0** or **OIDC (OpenID Connect)**-compliant provider. This flexibility ensures you can still set up SSO, regardless of which IdP you use.

### What You'll Need to Get Started

Before setting up your SSO integration, make sure you have the following:

* Admin access to your Identity Provider
* Your SAML metadata or OIDC configuration details
* Admin access to your BalkanID Tenant

{% hint style="info" %}
If required for SSO setup, the redirect URI for our application is: <https://app.balkan.id/auth/login>
{% endhint %}

<details>

<summary><strong>Important Notice for Okta OIDC Configuration</strong></summary>

Please be aware of a known issue with the current Okta OIDC setup suite that may cause configuration errors. Our team is working on a fix.

In the meantime, please follow this temporary workaround to ensure your Okta OIDC integration is set up correctly.

When configuring your Okta OIDC application, you **must manually adjust** the following three settings:

1. **Scopes:** Make sure that `openid` is added within the desired scopes option as shown in the below image.&#x20;

   <figure><img src="/files/J3Y4xWnO4XAB7KUTLHed" alt=""><figcaption></figcaption></figure>
2. **Grant Type**: Set the grant type to **`implicit`**.

   <figure><img src="/files/Y48vwIYzPIXJ5yFmXa2e" alt=""><figcaption></figcaption></figure>
3. **Allow ID Token**: Ensure the **`ID Token`** option is checked and allowed.

<figure><img src="/files/mkuhZrv5klUqcDBtZ3i0" alt="" width="375"><figcaption></figcaption></figure>

4. **User Attribute Mapping**: In the user attribute mapping section, change the default value from **`sub`** to `email` for the `Login ID` user attribute.

<figure><img src="/files/IKlirolodfDH0NIrata9" alt=""><figcaption></figcaption></figure>

Following these specific steps will allow for a successful connection. We apologize for any inconvenience and will remove this notice once the issue is resolved in a future update.

</details>

### How to Set Up SSO

1. Log in to the BalkanID.
2. Under the configure section click Global Settings > SSO Configuration.
3. Click on the `Generate SSO link` button.

   <figure><img src="/files/4JBi0XNZbhZcjJhuUTWD" alt=""><figcaption></figcaption></figure>
4. After clicking "Generate SSO Link," a pop-up or notification will provide you with a unique URL. You'll also see an option to **email this link to yourself** for convenience.

   <figure><img src="/files/Oj1JG0IG3VWsX2xWB5gL" alt=""><figcaption></figcaption></figure>
5. Clicking on the provided URL will open the SSO Suite, a step-by-step guided experience. This suite will walk you through the configuration process tailored to your chosen SSO provider, ensuring a smooth and accurate setup.

   <figure><img src="/files/27o4UUCjJPXuzfC6LsPX" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
If you need any help or assistance, don't hesitate to reach out to the **BalkanID team** at **<support@balkan.id>**.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.balkan.id/getting-started/setting-up-your-tenant/sso-setup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.