> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lovable.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up workspace single sign-on (SSO)

> Connect Okta, Auth0, Microsoft Entra ID, or any OIDC/SAML 2.0 provider to enable secure, centralized authentication for your workspace.

<head>
  <script type="application/ld+json">
    {`{"@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [{"@type": "Question", "name": "Invalid or mismatched Redirect URI", "acceptedAnswer": {"@type": "Answer", "text": "Ensure the redirect/callback URL exactly matches https://auth.lovable.dev/__/auth/handler in your IdP."}}, {"@type": "Question", "name": "Issuer URL / discovery fails", "acceptedAnswer": {"@type": "Answer", "text": "Use the provider's OIDC Issuer URL (not just the domain). - For Okta, copy from the Sign-on tab - For Auth0, use your tenant domain."}}, {"@type": "Question", "name": "Email not returned", "acceptedAnswer": {"@type": "Answer", "text": "Grant the email scope and ensure the user account has a primary email."}}, {"@type": "Question", "name": "Authorization flow issues", "acceptedAnswer": {"@type": "Answer", "text": "Use Authorization Code with a confidential client and client secret. Avoid implicit or PKCE-only app types."}}, {"@type": "Question", "name": "Invalid ACS or Audience", "acceptedAnswer": {"@type": "Answer", "text": "Ensure both ACS and Audience/Entity ID exactly match https://auth.lovable.dev/__/auth/handler in your IdP."}}, {"@type": "Question", "name": "Email claim missing", "acceptedAnswer": {"@type": "Answer", "text": "Make sure to map an email claim. For Microsoft Entra ID, map email to user.mail. If user.mail is empty, use user.userprincipalname."}}, {"@type": "Question", "name": "Provider credentials invalid", "acceptedAnswer": {"@type": "Answer", "text": "Paste the correct X.509 certificate. If the certificate rotates, update it in Lovable."}}, {"@type": "Question", "name": "I already have an account, but I'm joining a business workspace that uses SSO. How do I log in?", "acceptedAnswer": {"@type": "Answer", "text": "If you created your account using another login method (like email/password, Google, or GitHub), you need to log in that way first. Once you're logged in, navigate to Settings → Your account → Link SSO. This will link your existing account to your company SSO. Important: If you attempt to log in with SSO before linking your existing account, you'll see an error. This is a security measure to prevent unauthorized access. Log in using your original method first to complete the linking process."}}, {"@type": "Question", "name": "Which SSO providers does Lovable support?", "acceptedAnswer": {"@type": "Answer", "text": "Lovable supports the industry-standard OIDC and SAML protocols, so you can integrate with any SSO provider that supports them."}}, {"@type": "Question", "name": "Does Lovable support multiple SSO providers per workspace?", "acceptedAnswer": {"@type": "Answer", "text": "No. A workspace can have one active SSO provider configured at a time."}}, {"@type": "Question", "name": "Can I enforce SSO for my workspace?", "acceptedAnswer": {"@type": "Answer", "text": "Yes. The workspace owner or admin can enable Enforce SSO in Settings → Workspace → Identity and choose the session duration to configure how long users stay signed in before requiring re-authentication (24 hours, 48 hours, or 7 days). This requires all workspace members to use SSO for authentication. External collaborators and invite links will be disabled."}}, {"@type": "Question", "name": "Does Lovable support IdP-initiated SSO?", "acceptedAnswer": {"@type": "Answer", "text": "No. IdP-initiated SSO (starting from an IdP dashboard tile) is not supported. Lovable supports SP-initiated sign-in only. Users must start sign-in from Lovable."}}, {"@type": "Question", "name": "Does Lovable support just-in-time (JIT) provisioning with SSO?", "acceptedAnswer": {"@type": "Answer", "text": "Yes, Lovable supports JIT (just-in-time) provisioning through SSO. User accounts are created automatically the first time someone signs in via SSO, and they’re added to your company workspace. You can also set a default role for JIT-created users (admin, editor, or viewer) that will be applied when they join via SSO for the first time."}}, {"@type": "Question", "name": "Does Lovable support SCIM or automatic user provisioning?", "acceptedAnswer": {"@type": "Answer", "text": "Yes. Lovable supports SCIM provisioning for automated user provisioning and deprovisioning on the Business plan and above. With SCIM, user creation, removal, and role assignment are managed centrally from your identity provider based on assignments and group membership. See Set up SCIM user provisioning for more information."}}, {"@type": "Question", "name": "How can I find my tenant ID (SSO login identifier)?", "acceptedAnswer": {"@type": "Answer", "text": "Your tenant ID is the {tenantId} value used in your SSO login URL: https://lovable.dev/sso-login/{tenantId}. It matches the SSO login identifier you configured when setting up your SSO provider in Lovable. You can also find it in Settings → Workspace → Identity after you have configured your provider."}}, {"@type": "Question", "name": "How can I edit my SSO provider configuration?", "acceptedAnswer": {"@type": "Answer", "text": "You cannot edit your configured SSO provider. To make any updates, you first need to delete the existing SSO provider and then configure it again."}}]}`}
  </script>
</head>

<Note>
  This page documents **workspace-level SSO for your team's access to Lovable itself**. It is configured at the workspace level under **Settings → Identity**.

  Looking for SAML SSO for the **end users of your Lovable Cloud app**? See [Add SAML single sign-on to Lovable Cloud apps](/features/cloud-saml-sso). That is configured per project under **Cloud → Users → Auth settings** and is a different feature.
</Note>

Single sign-on (SSO) is available on **Business** and **Enterprise** plans and enables secure, centralized authentication across your organization. With SSO, users can access Lovable with one set of credentials, simplifying access management and improving security.

<Note>
  **Service provider (SP)-initiated sign-in only:** users must start sign-in from Lovable (SP).

  **Identity provider (IdP)-initiated SSO** (starting from an IdP dashboard tile) is **not supported**.
</Note>

## Supported SSO protocols

Lovable supports both **OIDC** and **SAML 2.0** protocols, enabling integration with all major **identity providers (IdP)** including Okta, Auth0, Microsoft Entra ID (Azure AD), and more.

* **OpenID Connect (OIDC)**: recommended; a modern identity layer built on top of OAuth 2.0 that provides identity verification.
* **SAML (Security Assertion Markup Language) 2.0**: XML-based protocol for exchanging authentication and authorization data, widely used in enterprise environments.

## Prerequisites

To connect your identity provider to Lovable using OIDC or SAML, you need:

* **IdP admin access** (Okta, Auth0, Microsoft Entra ID, or any other provider you're using)
* **Lovable workspace owner or admin role**
* A **verified domain** in Lovable, to prove domain ownership
  <Info>
    To verify your domain, add the `TXT` record displayed in the UI to your DNS provider. See [Custom domains](/features/custom-domain) for more information.
  </Info>

## Start SSO setup in Lovable

SSO configuration is a **two-way setup** between Lovable and your identity provider:

* **Lovable → IdP:** copy Lovable URLs and settings into your IdP app.
* **IdP → Lovable:** copy your IdP’s issuer, metadata, and certificates back into Lovable.

The workspace **owner** or **admin** can set up SSO. To start, go to **Settings → Workspace → Identity → Add SSO provider**, then choose **OIDC** or **SAML**.

### IdP configuration reference

When you start the SSO provider setup in Lovable, you see:

* **What to configure in your IdP** (for example, app type, scopes, and attribute mappings)
* **Lovable URLs and identifiers** you may need to enter in the IdP.

Use the reference below while configuring OIDC or SAML in your IdP.

<Tabs>
  <Tab title="OIDC">
    * Application type: `Web Application`
    * Grant type: `Authorization Code`
    * Token method: `POST` (if configurable)
    * Redirect URI to copy and add to your IdP: `https://auth.lovable.dev/__/auth/handler`
    * OAuth scopes:
      * Required: `openid`, `email`
      * Recommended: `profile`
  </Tab>

  <Tab title="SAML">
    * ACS URL (Assertion Consumer Service): `https://auth.lovable.dev/__/auth/handler`
    * SP Entity ID / Audience URI: `https://auth.lovable.dev/__/auth/handler`
    * Attribute mappings:
      * `email` (required): ensure the format is set to `EmailAddress`
      * `displayName` (recommended): map to user's full name
      * `photoURL` (recommended): map to user's profile picture URL
  </Tab>
</Tabs>

## Provider-specific setup guides

If you use Okta, Auth0, or Microsoft Entra, you can find provider-specific documentation for setting up SSO. If you use another provider, see [Configure other providers](#configure-other-providers).

Before you begin, complete [Start SSO setup in Lovable](#start-sso-setup-in-lovable) to get the settings and values you need to use in your IdP.

For more information, refer to your IdP's official documentation.

### Configure Okta as your SSO provider

<Tabs>
  <Tab title="OIDC">
    <Steps>
      <Step title="Create an application in Okta">
        * Go to **Okta Admin Console → Applications.**
        * Click **Create App Integration** and select **OIDC**. Then select the **Web Application** application type.
        * Give the app a name, for example `Lovable OIDC SSO`.
      </Step>

      <Step title="Configure OIDC integration in Okta">
        * Set **Grant type** to `Authorization Code`
        * Remove the default redirect URIs.
        * Add the Lovable redirect URL to Okta **Sign-in redirect URIs**: `https://auth.lovable.dev/__/auth/handler`
        * Select **Assignments**: assign the application to your users/groups who should access Lovable.
      </Step>

      <Step title="Save application">
        Click **Save**. Your application is now created in Okta.
      </Step>

      <Step title="Configure Okta Issuer URL">
        In Okta, go to **Sign On → OpenID Connect ID Token**, select **Okta URL** from the Issuer dropdown, and **Save**.
      </Step>

      <Step title="Provide Lovable with your IdP information">
        In Okta, copy the following value from the **Sign On** tab and enter it in Lovable.

        * Okta `Issuer URL` → Lovable `OIDC Issuer URL/Discovery Endpoint`

        In Okta, copy the following values from the **General** tab and enter them in Lovable.

        * Okta `Client ID` → Lovable `OAuth Client ID/Application ID`
        * Okta `Client Secret` → Lovable `OAuth Client Secret`
      </Step>

      <Step title="Configure display name and SSO login identifier (tenant ID)">
        In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

        * **Display name**: The name shown to users during authentication.
        * **SSO login identifier (tenant ID)**: The URL users will use to sign in directly with SSO.
      </Step>

      <Step title="(Optional) Test the configuration in Lovable">
        In Lovable, click **Test configuration**. If everything is configured correctly, the validation should be successful.
      </Step>

      <Step title="Finish OIDC provider configuration in Lovable">
        In Lovable, click **Configure provider** to finish the configuration of Okta as your OIDC SSO provider.
      </Step>
    </Steps>
  </Tab>

  <Tab title="SAML">
    <Steps>
      <Step title="Create an application in Okta">
        * Go to **Okta Admin Console → Applications.**
        * Click **Create App Integration** and select **SAML 2.0**.
        * Give the app a name, for example `Lovable SAML SSO`.
      </Step>

      <Step title="Configure SAML settings in Okta">
        * Single sign-on URL: `https://auth.lovable.dev/__/auth/handler`
        * Audience URI (SP Entity ID): `https://auth.lovable.dev/__/auth/handler`
        * Name ID format: `EmailAddress`
      </Step>

      <Step title="Save application">
        Click **Finish.** Your application is now created in Okta.
      </Step>

      <Step title="Provide Lovable with your IdP information">
        In Okta, go to **Sign On → SAML 2.0 → Metadata details**, and copy the **Metadata URL**.

        In Lovable, choose between quick SAML provider setup or manual configuration:

        **Option 1: Quick setup - import from metadata URL**

        In Lovable, paste the metadata URL in **Quick setup: Import from Metadata URL** field. Click **Test & Import** to automatically populate the required fields below.

        **Option 2: Manual configuration**

        Open the metadata URL in a new tab. Copy the following **Metadata URL** values and enter them in Lovable:

        * Okta `SingleSignOnService Location` → Lovable `SAML SSO Sign-on URL from your IdP`
        * Okta `EntityID` → Lovable `Identity Provider Entity ID / Issuer`
        * Okta `X509Certificate` → Lovable `X.509 Signing Certificate (public key)`
                  <Note>
                    Paste the certificate value between the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines.
                  </Note>
      </Step>

      <Step title="Configure display name and SSO login identifier (tenant ID)">
        In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

        * **Display name**: The name shown to users during authentication.
        * **SSO login identifier (tenant ID)**: The URL users will use to sign in directly with SSO.
      </Step>

      <Step title="Finish SAML provider configuration in Lovable">
        In Lovable, click **Configure SAML Provider → Confirm & Enable SSO** to finish the configuration of Okta as your SAML SSO provider.
      </Step>
    </Steps>
  </Tab>
</Tabs>

### Configure Auth0 as your SSO provider

<Tabs>
  <Tab title="OIDC">
    <Steps>
      <Step title="Create an application in Auth0">
        * Go to **Auth0 Admin Dashboard → Applications**.
        * Click **Create application**. Select the **Regular Web Applications** application type.
        * Give the app a name, for example `Lovable OIDC SSO`.
        * Click **Create**.
      </Step>

      <Step title="Configure Allowed Callback URLs">
        * In Auth0, go to your application settings.
        * Add the **Allowed Callback URLs**: `https://auth.lovable.dev/__/auth/handler`
        * Click **Save**.
      </Step>

      <Step title="Provide Lovable with your IdP information">
        In Auth0, copy the following values from the **Settings** tab and enter them in Lovable.

        * Auth0 `Domain` → Lovable `OIDC Issuer URL/Discovery Endpoint` (include `https://`)
        * Auth0 `Client ID` → Lovable `OAuth Client ID/Application ID`
        * Auth0 `Client Secret` → Lovable `OAuth Client Secret`
      </Step>

      <Step title="Configure display name and SSO login identifier (tenant ID)">
        In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

        * **Display name**: The name shown to users during authentication.
        * **SSO login identifier (tenant ID)**: The URL users will use to sign in directly with SSO.
      </Step>

      <Step title="(Optional) Test configuration in Lovable">
        In Lovable, click **Test configuration**. If you configured everything accurately, the validation should be successful.
      </Step>

      <Step title="Finish OIDC provider configuration in Lovable">
        In Lovable, click **Configure provider** to finish the configuration of Auth0 as your OIDC SSO provider.
      </Step>
    </Steps>
  </Tab>

  <Tab title="SAML">
    <Steps>
      <Step title="Create an application in Auth0">
        * Go to **Auth0 Admin Dashboard → Applications.**
        * Click **Create application**. Select the **Regular Web Applications** application type.
        * Give the app a name, for example `Lovable SAML SSO`.
        * Click **Create**.
      </Step>

      <Step title="Configure Allowed Callback URLs">
        * In Auth0, go to your application settings.
        * Add the **Allowed Callback URLs**: `https://auth.lovable.dev/__/auth/handler`
        * Click **Save**.
      </Step>

      <Step title="Configure SAML2 Web App Add-on">
        * In Auth0, navigate to **Addons**, and enable **SAML2 Web app**.
        * In **Addon: SAML2 Web app → Settings**, set:
          * Application Callback URL: `https://auth.lovable.dev/__/auth/handler`
          * Settings: paste the following `mappings` JSON

        ```json theme={null}
            {
              "mappings": {
                "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
              },
              "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
            }
        ```

        * Click **Enable.**
      </Step>

      <Step title="Provide Lovable with your IdP information">
        In Lovable, choose between quick SAML provider setup or manual configuration:

        **Option 1: Quick setup - import from metadata URL**

        * In **Auth0 → Addon: SAML2 Web app → Usage**, locate the **Identity Provider Metadata**, and click the arrow icon to get the URL.
        * In Lovable, paste the metadata URL in **Quick setup: Import from Metadata URL** field.
        * Click **Test & Import** to automatically populate the required fields below.

        **Option 2: Manual configuration**

        In **Auth0 → Addon: SAML2 Web app → Usage**, copy the following **SAML Protocol Configuration Parameter** values and enter them in Lovable.

        * Auth0 `Identity Provider Login URL` → Lovable `SAML SSO Sign-on URL from your IdP`
        * Auth0 `Issuer` → Lovable `Identity Provider Entity ID / Issuer`
        * Auth0 `Identity Provider Certificate` (`X509Certificate`) → Lovable `X.509 Signing Certificate (public key)`
                  <Note>
                    Download Auth0 certificate and copy the `X509Certificate` value. Paste the certificate value between the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines.
                  </Note>
      </Step>

      <Step title="Configure display name and SSO login identifier (tenant ID)">
        In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

        * **Display name**: The name shown to users during authentication.
        * **SSO login identifier (tenant ID)**: The URL users will use to sign in directly with SSO.
      </Step>

      <Step title="Finish SAML provider configuration in Lovable">
        In Lovable, click **Configure SAML Provider → Confirm & Enable SSO** to finish the configuration of Auth0 as your SAML SSO provider.
      </Step>
    </Steps>
  </Tab>
</Tabs>

### Configure Microsoft Entra ID as your SSO provider

<Tabs>
  <Tab title="OIDC">
    <Steps>
      <Step title="Create an app registration in Microsoft Entra ID">
        * Go to **Microsoft Entra admin center → App registrations → New registration**.
        * Give the app a name, for example `Lovable OIDC SSO`.
        * Configure **Redirect URI**:
          * Select **Platform** as `Web`.
          * Paste the redirect URL `https://auth.lovable.dev/__/auth/handler` and click **Save**.
        * Click **Register**.
      </Step>

      <Step title="Configure the optional claims">
        * In Microsoft Entra, go to **Token configuration → Add optional claim**.
        * Select **ID token** and add the `email` claim.
        * Click **Add**.
      </Step>

      <Step title="Configure the API permissions">
        * In Microsoft Entra, go to **API permissions → Add a permission → Microsoft Graph**.
        * Select **Delegated permissions** and add:
          * `email`
          * `openid`
          * `profile`
        * Click **Add permissions**.
      </Step>

      <Step title="Provide Lovable with your IdP information">
        In Lovable, enter the following:

        * `OIDC Issuer URL/Discovery Endpoint`: format the URL as `https://login.microsoftonline.com/{TENANT_ID}/v2.0`
                  <Info>
                    Replace the `{TENANT_ID}` with the **Directory (tenant) ID** from the **Overview** page in Microsoft Entra.
                  </Info>

        In Microsoft Entra, copy the **client ID** value from the **Overview** page and enter it in Lovable.

        * Microsoft Entra `Application (Client) ID` → Lovable `OAuth Client ID/Application ID`

        In Microsoft Entra, configure the **client secret** and enter it in Lovable.

        * Go to **Certificates & secrets → New client secret.**
        * Create a secret, and copy the secret value immediately (it won't be shown again).
        * Paste the Microsoft Entra `Client secret` → Lovable `OAuth Client Secret`
      </Step>

      <Step title="Configure display name and SSO login identifier (tenant ID)">
        In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

        * **Display name**: The name shown to users during authentication.
        * **SSO login identifier (tenant ID)**: The URL users will use to sign in directly with SSO.
      </Step>

      <Step title="(Optional) Test configuration in Lovable">
        In Lovable, click **Test configuration**. If you configured everything accurately, the validation should be successful.
      </Step>

      <Step title="Finish OIDC provider configuration in Lovable">
        In Lovable, click **Configure provider** to finish the configuration of Microsoft Entra ID as your OIDC SSO provider.
      </Step>
    </Steps>
  </Tab>

  <Tab title="SAML">
    <Steps>
      <Step title="Create an enterprise app in Microsoft Entra ID">
        * Go to **Microsoft Entra ID admin center → Enterprise applications**, and select **New application**.
        * Select **Create your own application** and choose **Integrate any other application you don’t find in the gallery (Non-gallery)**.
        * Give the app a name, for example `Lovable SAML SSO`.
        * Click **Create**. Your application is now created.
      </Step>

      <Step title="Configure SAML SSO">
        In Microsoft Entra, navigate to the **Single sign-on** setup page and select **SAML**. Under **Basic SAML Configuration**, enter the following:

        * Identifier (Entity ID): `https://auth.lovable.dev/__/auth/handler`
        * Reply URL (Assertion Consumer Service URL): `https://auth.lovable.dev/__/auth/handler`

        Leave the other values blank and select **Save**.
      </Step>

      <Step title="Provide Lovable with your IdP information">
        When the application is set up in Microsoft Entra, you can choose between quick SAML provider setup or manual configuration in Lovable.

        **Option 1: Quick setup - import from metadata URL**

        * In Microsoft Entra, go to **SAML Certificates**  and copy the **App Federation Metadata URL**.
        * In Lovable, paste the **App Federation Metadata URL** in **Quick setup: Import from Metadata URL** field.
        * Click **Test & Import** to automatically populate the required fields below.

        **Option 2: Manual configuration**

        Copy the following values in Microsoft Entra and enter them in Lovable.

        * Microsoft Entra `Login URL` → Lovable `SAML SSO Sign-on URL from your IdP`
        * Microsoft Entra `Microsoft Entra Identifier` → Lovable `Identity Provider Entity ID / Issuer`
        * Microsoft Entra `X509Certificate` → Lovable `X.509 Signing Certificate (public key)`
                  <Note>
                    You can download the certificate (Base 64) or open the `App Federation Metadata URL` in a new tab and copy the `X509Certificate` value. Paste the certificate value between the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines.
                  </Note>
      </Step>

      <Step title="Configure display name and SSO login identifier (tenant ID)">
        In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

        * **Display name**: The name shown to users during authentication.
        * **SSO login identifier (tenant ID)**: The URL users will use to sign in directly with SSO.
      </Step>

      <Step title="Finish SAML provider configuration in Lovable">
        In Lovable, click **Configure SAML Provider → Confirm & Enable SSO** to finish the configuration of Microsoft Entra ID as your SAML SSO provider.
      </Step>
    </Steps>
  </Tab>
</Tabs>

## Configure other providers

You can configure any OIDC or SAML-compliant provider with Lovable SSO.

Before you begin, complete [Start SSO setup in Lovable](#start-sso-setup-in-lovable) to get the settings and values you need to use in your IdP.

<Tabs>
  <Tab title="OIDC">
    **Provider mapping**

    Common field names across providers:

    * Redirect URI: `Callback URL`, `Sign-in redirect URI`
    * Issuer/Domain: `Issuer URL`, `Authority`, `Okta domain`, `Auth0 domain`, `Tenant domain`
    * Client credentials: `Client ID` and `Client Secret`

    **Steps**

    <Steps>
      <Step title="Create an OIDC confidential app">
        Create a new OIDC Web application in your identity provider.
      </Step>

      <Step title="Configure redirect URI">
        In Redirect/Callback URLs, add `https://auth.lovable.dev/__/auth/handler`
      </Step>

      <Step title="Enable required scopes">
        Ensure `openid` and `email` scopes are enabled and consented if needed.
      </Step>

      <Step title="Provide Lovable with your IdP information">
        In your IdP, locate the corresponding values and enter them in Lovable:

        * `Domain` or `Issuer URL` → Lovable `OIDC Issuer URL/Discovery Endpoint`
        * `Client ID` → Lovable `OAuth Client ID/Application ID`
        * `Client Secret` → Lovable `OAuth Client Secret`
      </Step>

      <Step title="Configure display name and SSO login identifier (tenant ID)">
        In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

        * **Display name**: The name shown to users during authentication.
        * **SSO login identifier (tenant ID)**: The URL users will use to sign in directly with SSO.
      </Step>
    </Steps>
  </Tab>

  <Tab title="SAML">
    **Provider mapping**

    Common field names across providers:

    * ACS URL: `Single Sign-On URL`, `SSO URL`, `Reply URL`, `Assertion Consumer Service URL`
    * Audience: `SP Entity ID`, `Audience URI`, `Identifier`
    * Attribute mapping: `Attribute Statements`, `User Attributes & Claims`

    **Steps**

    <Steps>
      <Step title="Create a SAML 2.0 application">
        Create a new SAML 2.0 application in your provider.
      </Step>

      <Step title="Configure endpoints">
        * ACS URL: `https://auth.lovable.dev/__/auth/handler`
        * Audience / Entity ID: `https://auth.lovable.dev/__/auth/handler`
      </Step>

      <Step title="Map attributes">
        Ensure `email` is included in the SAML assertion. `displayName` is optional.
      </Step>

      <Step title="Assign users">
        Assign the application to users/groups who should access Lovable.
      </Step>

      <Step title="Provide Lovable with your IdP information">
        In Lovable, choose between quick SAML provider setup or manual configuration:

        **Option 1: Quick setup - import from metadata URL**

        * In your IdP, locate your SAML metadata URL (typically found in the SAML application settings or metadata details)
        * In Lovable, paste the metadata URL in **Quick setup: Import from Metadata URL** field.
        * Click **Test & Import** to automatically populate the required fields below.

        **Option 2: Manual configuration**

        In your IdP, locate the corresponding values and enter them in Lovable:

        * `Login URL` → Lovable `SAML SSO Sign-on URL from your IdP`
        * `Identifier/Issuer/Entity ID` → Lovable `Identity Provider Entity ID / Issuer`
        * `X509Certificate` → Lovable `X.509 Signing Certificate (public key)`
      </Step>

      <Step title="Configure display name and SSO login identifier (tenant ID)">
        In Lovable, update these values as desired. The values are prepopulated based on your verified domain.

        * **Display name**: The name shown to users during authentication.
        * **SSO login identifier (tenant ID)**: The URL users will use to sign in directly with SSO.
      </Step>
    </Steps>
  </Tab>
</Tabs>

## Troubleshooting

<Tabs>
  <Tab title="OIDC">
    <AccordionGroup>
      <Accordion title="Invalid or mismatched Redirect URI">
        Ensure the redirect/callback URL exactly matches `https://auth.lovable.dev/__/auth/handler` in your IdP.
      </Accordion>

      <Accordion title="Issuer URL / discovery fails">
        Use the provider's OIDC Issuer URL (not just the domain).

        * For Okta, copy from the **Sign-on** tab
        * For Auth0, use your tenant domain.
      </Accordion>

      <Accordion title="Email not returned">
        Grant the `email` scope and ensure the user account has a primary email.
      </Accordion>

      <Accordion title="Authorization flow issues">
        Use `Authorization Code` with a confidential client and client secret. Avoid implicit or PKCE-only app types.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="SAML">
    <AccordionGroup>
      <Accordion title="Invalid ACS or Audience">
        Ensure both ACS and Audience/Entity ID exactly match `https://auth.lovable.dev/__/auth/handler` in your IdP.
      </Accordion>

      <Accordion title="Email claim missing">
        Make sure to map an email claim.

        For Microsoft Entra ID, map `email` to `user.mail`. If `user.mail` is empty, use `user.userprincipalname`.
      </Accordion>

      <Accordion title="Provider credentials invalid">
        Paste the correct `X.509` certificate. If the certificate rotates, update it in Lovable.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

## FAQ

<AccordionGroup>
  <Accordion title="I already have an account, but I'm joining a business workspace that uses SSO. How do I log in?">
    If you created your account using another login method (like email/password, Google, or GitHub), you need to log in that way **first**. Once you're logged in, navigate to **Settings → Your account → Link SSO**. This will link your existing account to your company SSO.

    <Note>
      **Important:** If you attempt to log in with SSO before linking your existing account, you'll see an error. This is a security measure to prevent unauthorized access. Log in using your original method first to complete the linking process.
    </Note>
  </Accordion>

  <Accordion title="Which SSO providers does Lovable support?">
    Lovable supports the industry-standard OIDC and SAML protocols, so you can integrate with any SSO provider that supports them.
  </Accordion>

  <Accordion title="Does Lovable support multiple SSO providers per workspace?">
    No. A workspace can have **one active SSO provider** configured at a time.
  </Accordion>

  <Accordion title="Can I enforce SSO for my workspace?">
    Yes. The workspace **owner** or **admin** can enable **Enforce SSO** in **Settings → Workspace → Identity** and choose the **session duration** to configure how long users stay signed in before requiring re-authentication (24 hours, 48 hours, or 7 days).

    This requires all workspace members to use SSO for authentication. External collaborators and invite links will be disabled.
  </Accordion>

  <Accordion title="Does Lovable support IdP-initiated SSO?">
    No. **IdP-initiated SSO** (starting from an IdP dashboard tile) is not supported.

    Lovable supports **SP-initiated sign-in only**. Users must start sign-in from Lovable.
  </Accordion>

  <Accordion title="Does Lovable support just-in-time (JIT) provisioning with SSO?">
    Yes, Lovable supports **JIT (just-in-time) provisioning** through SSO. User accounts are created automatically the first time someone signs in via SSO, and they’re added to your company workspace.

    You can also set a **default role for JIT-created users** (admin, editor, or viewer) that will be applied when they join via SSO for the first time.
  </Accordion>

  <Accordion title="Does Lovable support SCIM or automatic user provisioning?">
    Yes. Lovable supports **SCIM provisioning** for automated user provisioning and deprovisioning on the **Enterprise plan**.

    With SCIM, user creation, removal, and role assignment are managed centrally from your identity provider based on assignments and group membership.

    See [Set up SCIM user provisioning](/features/business/scim) for more information.
  </Accordion>

  <Accordion title="How can I find my tenant ID (SSO login identifier)?">
    Your tenant ID is the `{tenantId}` value used in your **SSO login URL**:\
    `https://lovable.dev/sso-login/{tenantId}`. It matches the **SSO login identifier** you configured when setting up your SSO provider in Lovable.

    You can also find it in **Settings → Workspace → Identity** after you have configured your provider.
  </Accordion>

  <Accordion title="How can I edit my SSO provider configuration?">
    You cannot edit your configured SSO provider. To make any updates, you first need to delete the existing SSO provider and then configure it again.
  </Accordion>
</AccordionGroup>