.. _sso-overview: Single Sign On (SSO) Overview ------------------------------ VOSS Automate supports Single Sign-on (SSO) through the SAML v2 standard for SSO. The system acts as a service provider in the SAML authentication architecture and supports service provider initiated (SP-initiated) authentication of users against a SAMLv2 Identity Provider (IdP). Authentication settings on an IdP server include **Authentication Scope** and **User sync Type** - see: :ref:`configure_single_sign-on_for_voss-4-uc`. Users accessing VOSS Automate using SSO authentication are required to access the system using an URL which is specific to the IdP setup in the VOSS Automate system. This ensures the SAML interaction is with the correct IdP, since VOSS Automate supports multiple IdPs to be set up in the system. When accessing the URL, the user will be presented with the login challenge via the Identity Provider (outside of VOSS) if they do not already have a session active on the IdP. Once authenticated with the IdP, the assertion from the IdP is sent to VOSS Automate from the IdP and the user will be given access and presented with the appropriate interface in VOSS Automate (admin or self-service). If users already have an authentication session with the IdP, they do not see the IdP login page and will be directed straight to VOSS Automate. .. note:: * Credential policy features such as password rules, session length, etc. are all managed by the IdP outside of VOSS Automate. * Single Sign-on support is for authentication only and does not apply the user's permissions within the VOSS Automate. * No logout is supported when using SSO (single sign-out). VOSS Automate will not initiate the termination of