
{% callout type="info" %}
SSO is an Enterprise feature. Reach out to the support team, your sales contact, or through the [Slack community](https://statsig.com/slack) if you need to enable Enterprise features as you try out Statsig.
{% /callout %}

*This documentation assumes that you already have an OIDC Provider up and running.*

You can configure Single Sign-On (SSO) with OIDC for your Statsig Organization to continue using your company's identity store with Statsig and reduce the steps for inviting your team to your Projects. Statsig automatically provisions new users after they authenticate with your Identity Provider. Organizations are an Enterprise Tier feature. If your SSO requires multi-factor authentication (MFA), Statsig automatically requires MFA when your users sign into Statsig with SSO enabled.

## Supported Providers

Statsig supports any Identity Provider (IdP) that implements the OIDC protocol for SSO.
Custom documentation is available for the following OIDC providers:

* [Okta](/access-management/sso/okta_sso)
* [Microsoft Entra ID (AzureAD)](/access-management/sso/azuread)
* [Google](/access-management/sso/google)
* Ping Identity
  * Be sure to include `openid` and `email` in the scopes
* OneLogin

## Configure SSO with OIDC

### In your Identity Provider

Specify the following for your Statsig App:

* Sign-in redirect URI: https://console.statsig.com/sso/oidc (and https://latest.console.statsig.com/sso/oidc if possible)
* Sign-out redirect URI: https://console.statsig.com
* Sign-in URI: https://console.statsig.com/sso

To enable SSO in Statsig, collect the following from your OIDC Provider:

* OIDC Domain
* Client ID
* Client Secret

### In Statsig Console

After you have obtained all of the information from your OIDC Provider:

1. Navigate to your Organization's [`Info Settings` page](https://console.statsig.com/settings?tab=organization) and click the `Enable` button for Single Sign-on.

{% callout type="note" %}
An `Owner`/`Admin` role in your Statsig organization is required to configure SSO on Statsig
{% /callout %}

{% figure %}
![SSO enable button in organization settings](/images/access-management/sso/overview/a31ba14d-9476-4897-afc6-5c39c2f932c9.png)
{% /figure %}

2. Provide the information acquired from your OIDC Provider into the fields in the dialog and click `Enable`.

{% figure %}
![SSO configuration dialog with OIDC provider fields](/images/access-management/sso/overview/d2143c48-f144-4544-a77b-af2e2d486cc8.png)
{% /figure %}

3. After clicking **Enable**, Statsig displays an SSO link that you can send to your team to allow them to log in to Statsig through your OIDC Provider.

{% figure %}
![SSO link generated for team login](/images/access-management/sso/overview/e3743107-2e26-4944-b2fb-f90536163b6f.png)
{% /figure %}

By default, Statsig assigns users provisioned through SSO the "Member" role in the organization.
If the organization has only one open project, users who sign in through an SSO link automatically join any Projects that have SSO enabled with the same OIDC Provider.
If there are multiple projects, Statsig adds users to the organization, but they need to request to join open projects or be invited to closed projects.

Enabling `Strict SSO` requires that all members of a Project besides the `Owner` log in to the Statsig Console through SSO with the configured provider to access the Project.

## Break Glass Scenarios

If you have configured SSO as required and your SSO configuration becomes corrupted, users are blocked from logging in. In that case, the user with the Owner role can use the break glass URL to sign in with a password, bypassing SSO. The break glass URL is [https://console.statsig.com/login?method=password-only](https://console.statsig.com/login?method=password-only)
