> ## Documentation Index
> Fetch the complete documentation index at: https://docs.metriport.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML/Enterprise SSO

> Guide to setting up SAML/Enterprise SSO.

SAML SSO support your organization to connect to your own identity provider (e.g. Okta, Azure AD, JumpCloud, etc).

## Setup

First, ask the Metriport team for a link to setup SAML/SSO for your account.

<Warning>
  This will be a sensitive, unauthenticated link, so please
  only share it with the person who manages your
  organization's users, if needed.
</Warning>

We support the following Identity Providers with a step-by-step guide:

* Google
* Okta
* Azure
* OneLogin
* JumpCloud
* Duo
* Rippling
* For Identity Providers not on this list you can choose "other" - we'll guide you through a generic SAML setup guide.

Some tips for setting it up:

* Mapping user attributes from your Identity Provider to Metriport:
  * Use these fields for the Metriport side of the user attribute mapping:
    * `email`
    * `first_name`
    * `last_name`
  * For details about the user groups/roles available at Metriport, see our documentation: [User Roles](/medical-api/more-info/user-roles)
* At the end, you'll see a "You're almost done" page. Please be sure to test the setup before completing the process:
  * Click on "Test connection" - if it's successful, you should see a page with the user attributes mapping for the account you chosen on your Identity Provider.
  * It might take a few minutes for the new setup to be available on your Identity Provider.
* When done ("SAML setup complete"), we'll show you a URL that you can use to point your users directly to the account selection when signing into Metriport. This URL is only displayed once, so make sure to copy it before closing the page.

When you open the link, you'll see this page, where you should choose the SAML provider:

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=6ee70e7267bd7ee0cfa6924371d74c4b" alt="SAML Provider Selection" width="2310" height="1330" data-path="images/sso/sso.png" />
</Frame>

## Google Example

<Info>
  Other Identity Providers (IDP) might have different steps,
  so use the numbered steps pertaining to Google as a
  reference.
</Info>

These steps will guide you through the process of setting up SAML/SSO for Google, and will be similar for other providers.

### Step 1

The first step is just an introduction to how to create a SAML app on Google:

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso1.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=9bdb27a03b2636e99f2e5135917ae713" alt="Google SAML App Creation" width="2284" height="2180" data-path="images/sso/sso1.png" />
</Frame>

### Step 2

Here you should copy info from Google into Metriport. Those are easily accessible on Google's SAML setup.

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso2.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=62b139604372c3506deecda72e62d9a5" alt="Copy Info from Google" width="2538" height="1980" data-path="images/sso/sso2.png" />
</Frame>

### Step 3

Now it's time to copy some info from Metriport into your SAML server. There should be a fairly equivalent field/property on your SAML server matching the fields `ACS URL` and `SP Entity ID`.

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso3.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=287493e571a5073a03d1cc50773ef7dc" alt="Copy Info to SAML Server" width="2534" height="1600" data-path="images/sso/sso3.png" />
</Frame>

### Step 4

Now, Metriport will display a recommendation for mapping user attributes.

It only includes `email` on the list of fields to copy, but you can safely use the `first_name` and `last_name` to map the respective fields to Metriport.

There are no other fields to be mapped beyond those (groups will be done on the next step).

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso4.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=8cdf0e599fd2273571ea0f1f7991f735" alt="User Attribute Mapping" width="2544" height="1422" data-path="images/sso/sso4.png" />
</Frame>

### Step 5

Here you can map your groups to Metriport groups - for more info about our groups, see [Groups](/medical-api/more-info/user-roles).

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso5.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=ac085a93d9db0f481dc5888345d9cdbd" alt="Group Mapping" width="2524" height="2006" data-path="images/sso/sso5.png" />
</Frame>

### Last Steps

Once the setup is done, Metriport will display a window asking you to validate the SSO setup.

It might take a few minutes after your SAML provider is setup for it to be fully available.

You should `Test connection` before "Finish and go live".

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso6.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=53e08916449a0268454a8a09adb54fc0" alt="Validate SSO Setup" width="2604" height="832" data-path="images/sso/sso6.png" />
</Frame>

When you click `Test connection` (and your SAML provider is set and enabled), you should see a page like this:

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso7.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=061f1c2d5a45a7cec329cb51d8018c29" alt="Test Connection" width="2542" height="1030" data-path="images/sso/sso7.png" />
</Frame>

Then, after you click on `Test connection` you should get a page with a link to the SAML/SSO login.

This URL can be used by your users to create an internal URL to login to Metriport bypassing the login page.

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso8.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=4137b40b97ab9e0b40556ccdb97b62b8" alt="SAML/SSO Login URL" width="2196" height="1184" data-path="images/sso/sso8.png" />
</Frame>

Opening the URL above with Google set as the SAML provider returns the Google account selector:

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso9.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=71f02c3038ca6ee1065018640e34f16e" alt="Google Account Selector" width="2424" height="1096" data-path="images/sso/sso9.png" />
</Frame>

Upon the first login you'll ask your users to confirm their email:

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso10.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=ed310502b348c1e552c460a0884363e6" alt="Confirm Email" width="1712" height="1114" data-path="images/sso/sso10.png" />
</Frame>

From then on, once your users choose their account on the SAML provider they get directed to the Metriport dashboard.

If your users go straight to [Metriport Dashboard](https://dash.metriport.com/) they'll get the regular login page:

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso11.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=d68361b0c52c545c1cbbe910d2076f68" alt="Regular Login Page" width="1626" height="1384" data-path="images/sso/sso11.png" />
</Frame>

If your users enter an email associated with an Org that has SAML/SSO enabled, then that SAML provider's login/account page will be displayed (Google's in this case).

Otherwise, the `password` field will be displayed:

<Frame>
  <img className="h-100" src="https://mintcdn.com/metriport/01VxYc4hqAqnMppL/images/sso/sso12.png?fit=max&auto=format&n=01VxYc4hqAqnMppL&q=85&s=33f099dbd84b097b65b6e0646acf9a08" alt="Password Field" width="1618" height="1520" data-path="images/sso/sso12.png" />
</Frame>