# SSO

<div align="left"><figure><img src="/files/XRJHQnAMs93C1umrdpNh" alt=""><figcaption></figcaption></figure></div>

> ### An *<mark style="color:purple;">SSO</mark>*, aka *<mark style="color:purple;">Single Sign-On</mark>*, is an authentication method that allows a user to *<mark style="color:purple;">log in once with a single set of credentials</mark>* and access multiple applications or services.&#x20;

> ### This *<mark style="color:purple;">eliminates the need to remember multiple usernames and passwords for different accounts</mark>*, increasing convenience and security by reducing the risk of password fatigue and weak or reused credentials.&#x20;

### *<mark style="color:purple;">How</mark>* It Works

* **User login**: A user logs into the first application (the identity provider) with their single set of credentials.&#x20;
* **Authentication**: The identity provider authenticates the user and generates a secure digital "token" that proves their identity.&#x20;
* **Access**: When the user tries to access another connected application (a service provider like us AI Voice+ app), the browser sends the token to that service.&#x20;
* **Verification**: The service provider (that's us in outr case) verifies the token with the identity provider and grants the user access without requiring them to log in again.&#x20;

### Key *<mark style="color:purple;">Benefits</mark>*

* **For users**: Simplifies access to multiple applications, saving time and frustration from remembering numerous passwords.&#x20;
* **For organizations**: Reduces the risk of security breaches from weak or forgotten passwords, improves productivity, and allows for centralized management of user access.&#x20;

### Common *<mark style="color:purple;">Examples</mark>*

* **Enterprise use**: Employees logging into a single portal to access various corporate applications like email, CRM, and HR systems & e.g. AI Voice+ provides the key endpoint into our app for you as the end-user.&#x20;
* **Consumer use**: Using a Google or Apple account to sign into multiple third-party apps and websites if your IdP (aka your organization/company) has setup OAuth2 for Google, Apple, Microsoft, etc.

### *<mark style="color:purple;">Easy</mark>*. In-App. *<mark style="color:purple;">Setup</mark>*.

<div align="left"><figure><img src="/files/bOn0PFgd4uNIeKgabEzK" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="/files/v1DYQSDysDnSjn2HzuyZ" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="/files/hvoHg3Qp4bY0XdArhpLA" alt=""><figcaption></figcaption></figure></div>

### ...*<mark style="color:purple;">more</mark>* info

* **Hybrid SSO (SAML/OIDC)** — Organizations can connect their own Identity Providers (Okta, Authentik, Azure AD, etc.) via OIDC. SSO is triggered automatically by domain detection on the login page.
* **SSO Domain Detection** — As users type their email, the login form checks the domain against `Organization SSO Providers`; a branded "Sign in with \[Provider]" banner appears on match.
* **SSO Edge Functions** — `SSO Authorize` generates the OIDC authorization URL with HMAC-SHA256 signed state (CSRF protection, 10-minute TTL); `SSO Callback` verifies the signed state, handles code exchange, auto-provisions new users, links them to organizations, and signs them in via magic links.
* **SSO Security Hardening** — Redirect URI validation against allowed origins whitelist; domain format regex validation; scalable user lookup via profiles (not `listUsers()`); defense-in-depth org re-derivation from email domain; existing user org linkage on SSO login; `UNIQUE` partial index on `SSO Domain` prevents domain collisions.
* **SSO Admin Settings** — Organization admins configure OIDC settings (Issuer URL, Client ID, Client Secret, scopes, SSO domain) from Settings → SSO with a dedicated management UI.
* **Gamified SSO Setup Guide** — Interactive 5-step "How to Use" roadmap with XP tracking, progress bar, completion badges, confetti celebration, and localStorage persistence to guide admins through IdP configuration.

{% content-ref url="/pages/w99AxzQGORHUqf2wuBgG" %}
[325+ Features Shipped](/lisaiceland/platform+/active-development/325+-features-shipped.md)
{% endcontent-ref %}

{% content-ref url="/pages/mV3Y4OZ1l7FRL3MeHGRn" %}
[50+ Competitive Advantages](/lisaiceland/platform+/active-development/50+-competitive-advantages.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nexas-ridewiz.gitbook.io/lisaiceland/platform+/security+/sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.