# SSO Login

The **SSO Login** section in **Settings** allows you to enable a single sign-on (SSO) provider for one or more domains within your organisation. This centralises authentication, enhances security, and streamlines access for all team members.

{% hint style="info" %}
**Authentication Errors Due to Blocked Third-Party Cookies**

If your organisation uses a **Mobile Device Management (MDM)** or **endpoint security** solution that blocks third-party cookies as part of its security policy, certain Sprinto integrations — including **Microsoft Entra ID (Azure AD)** — may fail during authentication.

In such cases, you might encounter a **“CSRF verification failed”** or a similar **authorisation error** when attempting to connect the integration.

**Resolution**

To ensure successful authentication and a smooth integration flow, update your security or MDM policy to **allow cookies and requests** from the following domains:

* \*.[merge.dev](http://merge.dev/)
* \*.[sprinto.com](http://sprinto.com/)
  {% endhint %}

### Accessing the SSO Login Page

1. Navigate to **Settings** from the left navigation menu.
2. Select **SSO Login** from the list of settings options.

<figure><img src="/files/pkBH8DJXRLWjYygQEBca" alt="" width="563"><figcaption></figcaption></figure>

### Setting Up SSO Login

1. On the SSO Login page, click **Setup SSO Login**.
2. Under **Add domains that require custom SSO login**, enter the active staff email domains for which SSO setup is required.
   * Click **Add Email Domain** to add multiple domains if needed.
3. Click **Continue**.
4. A prompt will appear informing you that the integration is powered by a third-party application (WorkOS). Click **Continue** to proceed.

<figure><img src="/files/X8y6Hj5qnsJzZRUUicAI" alt=""><figcaption></figcaption></figure>

5. You will be redirected to the WorkOS configuration page.
6. On the WorkOS page, select your **Identity Provider** from the available list (e.g., Okta, Entra ID (Azure AD), Google, ADP, Auth0, CAS, etc.).
   * You can also configure **Custom SAML** or **Custom OIDC** if your provider is not listed.
7. Complete the integration setup as per your identity provider’s instructions.

<figure><img src="/files/bzGitHOyRb6dhNulE7NG" alt="" width="563"><figcaption></figcaption></figure>

Once configured, SSO will be enabled for the specified domains, and all login attempts for users with matching email domains will be routed through the configured SSO provider.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sprinto.com/settings/sso-login.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.