> ## Documentation Index > Fetch the complete documentation index at: https://docs.tracecat.com/llms.txt > Use this file to discover all available pages before exploring further. # SAML SSO > Authenticate into Tracecat with SAML SSO: configure your identity provider, map attributes, and enable single sign-on for organization-wide access. ## Supported identity providers * [Okta](#okta) * [Microsoft Entra ID](#microsoft-entra-id) * [Authentik](#authentik) * [Keycloak](#keycloak) ## Configuration In your `.env` file, make sure you have the following values set. ```bash theme={null} TRACECAT__AUTH_TYPES=saml SAML_IDP_METADATA_URL=https:// ``` ## Access policy After SAML authentication succeeds, Tracecat allows organization access when at least one of the following is true: * The user already has membership in the organization. * The user has a pending invitation for the organization. * The user is the first-user superadmin bootstrap account in the default organization. * The user is a platform superadmin (owner). Tracecat only auto-provisions SAML user accounts for: * Pending organization invitations. * First-user superadmin bootstrap (default organization only). If this is a new deployment, make sure `TRACECAT__AUTH_SUPERADMIN_EMAIL` exactly matches the email claim sent by your IdP for the owner account. ## Instructions Tracecat always requires signed assertions and signed responses. If you are using a self-signed certificate for your metadata URL, configure a base64-encoded CA certificates `.pem` bundle with `SAML_CA_CERTS` in your deployment environment. ### Okta Go to **Applications** and select **Add Application**. Select **SAML 2.0** and click on **Create**. * Set the **Single sign-on URL**, **Recipient URL**, and **Destination URL** to `https:///auth/saml/acs`. * Set the **Audience Restriction** to `https://`. Okta SAML Map `email` to `user.email` Okta attribute statements Set the following environment variables in your `.env` file: * `SAML_IDP_METADATA_URL`: Okta metadata URL Restart Tracecat to apply the changes. Navigate to your Tracecat instance and click on the **Login** button. You should be redirected to Okta for authentication. ### Microsoft Entra ID You must enable **Sign SAML response and assertion** in your Microsoft SAML app settings. Microsoft SAML apps only sign assertions by default. Go to **Enterprise applications** and select the **New application** button. Find and select the **Microsoft Entra SAML toolkit** app. * Set the **Reply URL** and **Sign on URL** to `https:///auth/saml/acs`. * Set **Identifier** to `https:///api`. * Set **Relay State** to `https://`. * Make sure that **Sign SAML response and assertion** is enabled. Microsoft Entra SAML Map `email` to `user.mail` ### Authentik Go to **Providers** and select the **Create** button. Choose **SAML Provider** and select the **Next** button. * Enter a name and choose an authorization flow * Set the **ACS URL** to `https:///auth/saml/acs`. * Set the **Audience** to `https:///api`. Authentik Provider * Expand the **Advanced protocol settings** section. * Select a **Signing Certificate** and ensure **Sign assertions** is enabled. Authentik Provider * Select **authentik default SAML Mapping: Name** in **Selected User Property Mappings**. * Click the **\<** button to deselect it. * Select the **Finish** button. Authentik Provider Go to **Applications** and select the **Create** button. Fill in the details as desired. * Select the provider you created previously. * Select the **Metadata** tab. * Select the **Copy download URL** button. Set the following environment variables in your `.env` file: * `SAML_IDP_METADATA_URL`: Metadata download URL Restart Tracecat to apply the changes. Navigate to your Tracecat instance and click on the **Login** button. You should be redirected to Authentik for authentication. ### Keycloak * Go to **Clients** and select the **Create client** button. * Set the **Client type** to **SAML**. * Set the **Client ID** to `https:///api` and select the **Next** button. Keycloak Client General Settings * Set the **Valid redirect URIs** to `https:///auth/saml/acs`. * Set the **Master SAML Processing URL** to `https:///auth/saml/acs` and select the **Save** button. Keycloak Client Login Settings * In **Settings** tab scroll down to **Signature and Encryption** section. * Ensure **Sign documents** is enabled. Keycloak Document Signing * Open **Keys** tab and look into **Signing keys config** section. * Ensure **Client signature required** is disabled. Keycloak Client Signing * Open **Client scopes** tab and click on client scope `https:///api-dedicated`. * Create new **User Property** mapper for **email** attribute and click **Save**. Keycloak Property Mapping * Go to **Realm Settings** ➤ **General** ➤ **Endpoints**. * Copy the **SAML 2.0 Identity Provider Metadata** link. Keycloak Property Mapping Set the following environment variables in your `.env` file: * `SAML_IDP_METADATA_URL`: Metadata download URL Restart Tracecat to apply the changes. Navigate to your Tracecat instance and click on the **Login** button. You should be redirected to Keycloak for authentication. ## Environment variables For standard self-hosted SAML setup, provide your IdP metadata URL in the deployment environment. ### Protocol configuration * `SAML_ALLOW_UNSOLICITED`: Whether to allow unsolicited SAML responses (default: `false`) * `SAML_ACCEPTED_TIME_DIFF`: Time difference in seconds for SAML authentication (default: `3`) Tracecat always requires signed assertions and signed responses. These checks are not configurable. ### SSL transport configuration * `SAML_VERIFY_SSL_ENTITY`: Whether to verify SSL certificates for general SAML entity operations (default: `true`) * `SAML_VERIFY_SSL_METADATA`: Whether to verify SSL certificates when fetching metadata (default: `true`) * `SAML_CA_CERTS`: Base64 encoded CA certificates for SSL/TLS transport layer validation