# Configuring SSO: SAML 2.0

> Orchestrator can handle single sign-on (SSO) authentication based on SAML 2.0. To enable it, both Orchestrator/Identity Server as Service Provider, and an Identity Provider must be properly configured so that they can communicate with each other. If SAML is enabled and correctly configured, a button is displayed at the bottom of the **Login** page. If the external identity provider uses a multi-factor authentication protocol, the user needs to comply to the corresponding rules as well in order to successfully log in.

Orchestrator can handle single sign-on (SSO) authentication based on SAML 2.0. To enable it, both Orchestrator/Identity Server as Service Provider, and an Identity Provider must be properly configured so that they can communicate with each other. If SAML is enabled and correctly configured, a button is displayed at the bottom of the **Login** page. If the external identity provider uses a multi-factor authentication protocol, the user needs to comply to the corresponding rules as well in order to successfully log in.

Figure 1. Orchestrator SSO sign in with SAML 2.0

!['Orchestrator SSO sign in with SAML 2.0' image](https://dev-assets.cms.uipath.com/assets/images/orchestrator/orchestrator-orchestrator-sso-sign-in-with-saml-2-0-image-233191-eeb70980.webp)

:::important
Orchestrator/Identity Server supports multiple identity providers. In this guide we exemplify the following:
* [ADFS](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/adfs-authentication#adfs-authentication)
* [Google](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/google-authentication#google-authentication)
* [Okta](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/okta-authentication#okta-authentication)
* [PingOne](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/pingone-authentication#pingone-authentication)
:::

## Overview

To enable SAML authentication, the high-level process is as follows:

1. Define a user in Orchestrator and have a valid email address set on the **Users** page. This applies if your email address is set as a SAML attribute. You can configure a [custom mapping](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/custom-mapping#custom-mapping) strategy as well.
2. [Import the signing certificate](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/setting-orchestrator-to-use-a-private-key-certificate#private-key-certificates) provided by the Identity Provider to the Windows certificate store using Microsoft Management Console, and set Orchestrator/Identity Server to use it accordingly.
3. Add the configuration specific to the identity provider you want to use in the **Saml2** settings (**Users &gt; Authentication Settings &gt; External Providers**), making sure the **Enabled** checkbox is selected. Follow the instructions for the identity provider you use:
   * [ADFS](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/adfs-authentication#adfs-authentication)
   * [Google](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/google-authentication#google-authentication)
   * [Okta](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/okta-authentication#okta-authentication)
   * [PingOne](https://docs.uipath.com/orchestrator/standalone/2024.10/user-guide/pingone-authentication#pingone-authentication)