# Single Sign On (SSO)

### Overview

ComplyCube allows you to add team members and govern access to our **Web Portal** by easily integrating with your chosen **Identity Provider (IdP)** via **SAML**.

This integration ensures your team members benefit from a Single Sign-On (SSO) experience. It allows them to access ComplyCube using the same credentials and login interface as your other service providers, enabling a **secure and cohesive user experience**.

Using SSO, your team members will be redirected to your IdP for authentication and authorization. Upon successful access verification, they will be seamlessly redirected back to ComplyCube.

{% hint style="warning" %}
When SSO is enabled, the standard ComplyCube login will be disabled for all team members except the **Account Owner**. This safeguard ensures that, if the identity provider (IdP) becomes unavailable, the Account Owner can still access the ComplyCube Portal and deactivate SSO, restoring direct login access for the rest of the team.
{% endhint %}

{% hint style="info" %}
This service is available through our **Enterprise Plan**. Get in touch with your Account Manager or [contact us](https://www.complycube.com/sales) to enable it.
{% endhint %}

### Just-in-Time (JIT) provisioning

ComplyCube supports JIT provisioning, allowing accounts for new team members to be created automatically at first login. By default, all new members are assigned the '[Analyst](https://docs.complycube.com/documentation/guides/roles-and-permissions#user-roles)' role. The **ComplyCube Account Owner** or **Administrators** can later adjust this role through the [team members settings page](https://portal.complycube.com/settings/team).

{% hint style="info" %}
Should the number of **allocated seats** for an account be fully utilized, ComplyCube will cease to provision new accounts. In such instances, your team member will get a message prompting them to contact their Account Owner.
{% endhint %}

### User roles with SSO

[User permission and roles](https://docs.complycube.com/documentation/access-management/teams-and-user-roles) can be set via the [team members settings page](https://portal.complycube.com/settings/team) through the Web Portal.&#x20;

### ​Removing accounts <a href="#removing-end-user-accounts" id="removing-end-user-accounts"></a>

Removing a team member from the IdP will prevent them from being able to sign in to ComplyCube. However, it will not remove their account from ComplyCube. **Accounts must be removed** from the ComplyCube [team members settings page](https://portal.complycube.com/settings/team).

### Requirements for SSO

* Your IdP must support the **SAML 2.0** standard.
* Your IdP must support **SHA256** for signatures.
* You must have **administrative permission** on the IdP.
* You must be an **Account Owner** or **Administrator** on ComplyCube.