# Single Sign-On (SSO)

### Overview

ComplyCube allows you to add team members and govern access to our **ComplyCube Web Portal** by easily integrating with your chosen **Identity Provider (IdP)** via **SAML**.

This integration ensures your team members benefit from a single sign-on (SSO) experience. It allows them to access ComplyCube using the same credentials and sign-in interface as your other service providers, enabling a **secure and cohesive user experience**.

Using SSO, your team members will be redirected to your IdP for authentication and authorization. Upon successful access verification, they will be seamlessly redirected back to ComplyCube.

{% hint style="warning" %}
When SSO is enabled, the standard ComplyCube sign-in flow will be disabled for all team members except the **Account Owner**. This safeguard ensures that, if the identity provider (IdP) becomes unavailable, the Account Owner can still access the Portal and deactivate SSO, restoring direct sign-in access for the rest of the team.
{% endhint %}

{% hint style="info" %}
This service is available through our **Enterprise Plan**. Get in touch with your Account Manager or [contact us](https://www.complycube.com/sales) to enable it.
{% endhint %}

### Just-in-Time (JIT) provisioning

ComplyCube supports JIT provisioning, allowing accounts for new team members to be created automatically at first sign-in. By default, all new members are assigned the '[Analyst](https://docs.complycube.com/documentation/guides/roles-and-permissions#user-roles)' role. The **ComplyCube Account Owner** or **Administrators** can later adjust this role through the [team members settings page](https://portal.complycube.com/settings/team).

{% hint style="info" %}
Should the number of **allocated seats** for an account be fully utilized, ComplyCube will stop provisioning new accounts. In such instances, your team member will get a message prompting them to contact their Account Owner.
{% endhint %}

### User roles with SSO

[User roles and permissions](/documentation/access-management/teams-and-user-roles.md) can be set via the [team members settings page](https://portal.complycube.com/settings/team) through the Portal.

### Removing accounts <a href="#removing-end-user-accounts" id="removing-end-user-accounts"></a>

Removing a team member from the IdP will prevent them from being able to sign in to ComplyCube. However, it will not remove their account from ComplyCube. **Accounts must be removed** from the ComplyCube [team members settings page](https://portal.complycube.com/settings/team).

### Requirements for SSO

* Your IdP must support the **SAML 2.0** standard.
* Your IdP must support **SHA256** for signatures.
* You must have **administrative permission** on the IdP.
* You must be an **Account Owner** or **Administrator** on ComplyCube.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.complycube.com/documentation/access-management/single-sign-on-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.