> ## Documentation Index > Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Single Sign-On and Provisioning to the ngrok Dashboard > Learn how to configure single sign-on for the ngrok dashboard using SAML or OpenID Connect identity providers. This page relates to using SSO and OAuth to sign into the ngrok dashboard. To require OAuth for traffic visiting your endpoints, see [the OAuth Traffic Policy action documentation](/traffic-policy/actions/oauth). You may configure your account to use one or more Single Sign-On (SSO) Identity Providers (IdPs). Once enabled, users can use the IdP to log into your ngrok dashboard. You may also configure enforcement settings to require that users must use SSO to log into your ngrok account. Once you have configured SSO, you may also enable [SCIM](#scim) to automate user provisioning of your ngrok account. Set up SSO on the [Account Settings page](https://dashboard.ngrok.com/settings) of your ngrok dashboard. ## Verified identity providers ngrok supports identity providers that support either SAML or OpenID Connect for SSO. The following table lists the identity providers that are verified to work with SSO for your ngrok account. | Identity Provider | Guides to get started | | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Okta | [ngrok's Dashboard SSO guide](/integrations/dashboard-sso/okta-dashboard-sso-oidc) and [SCIM provisioning](/integrations/dashboard-sso/okta-dashboard-sso-scim) | | Microsoft AzureAD | [ngrok's Dashboard SSO with SAML guide](/integrations/endpoint-sso/microsoft-sso-saml) and the [official documentation](https://learn.microsoft.com/en-us/entra/architecture/auth-saml) | | Salesforce | [ngrok's Dashboard SSO with Salesforce OAuth and OIDC guide](/integrations/dashboard-sso/salesforce-dashboard-sso-oidc) and the [official documentation](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/intro_oauth_and_connected_apps.htm) | | Auth0 | [ngrok's Dashboard SSO with Auth0 SAML guide](/integrations/dashboard-sso/auth0-dashboard-sso-saml) and the [official documentation](https://auth0.com/docs/quickstart/native/device/interactive) | ## Enforcement Your account sets an SSO Enforcement policy which controls whether users are required to log in with SSO. **Mixed Mode**: In mixed mode, users who existed on your account before you set up SSO may continue using their existing credentials to log in. All new users will be required to use SSO. **SSO Enforced**: In SSO enforced mode, all users must use your SSO IdP to log in and their existing credentials will no longer allow them to log into your account. Keep in mind that after you add an IdP, your account is still in Mixed Mode and users can continue to log in with their previous credentials. Once you are confident that your SSO integration is configured correctly, you can switch to SSO Enforced mode. This helps you avoid inadvertently locking yourself or your users out of the account. ## IdP-initiated login ngrok supports IdP-initiated login flows for SAML IdPs. An IdP-initiated login flow is one in which users can log into your ngrok account by clicking on a link in your IdP's dashboard. You may enable IdP-initiated login on a per-IdP basis. The OpenID Connect protocol does not support IdP-Initiated login so it is not supported for IdPs you connect that way. ## User provisioning When using SSO, you may configure how users are provisioned and deprovisioned from your ngrok account. You may configure your account to provision users in one of three modes: * Explicitly invited by an existing member of your account * Just-in-time (JiT) provisioned after they successfully log in with SSO * Managed via your IdP's [SCIM integration](#scim). It is recommended that you choose either JiT or SCIM. See [User Provisioning](/iam/users/#provisioning) for more details. ## Multiple IdPs You may configure multiple IdPs to use for SSO. If you do, when a user tries to log in, they will be presented with a choice of which provider to use to log in. The description provided when configuring the IdP in your account will be displayed to the user here and can be used to distinguish similar providers. ## SCIM ngrok supports a limited subset of [RFC 7644](https://datatracker.ietf.org/doc/html/rfc7644) to enable SCIM provisioning and deprovisioning. ngrok's SCIM implementation works with major IdPs like Okta and Microsoft Entra ID. ngrok's SCIM API Base URL is: ``` https://api.ngrok.com/scim/v2/ ``` Your IdP will authenticate to ngrok's SCIM API with [API Keys](/api/#authentication) like any other ngrok API client. If you use [API IP Restrictions](/api/#ip-restrictions) with SCIM, ensure that your IdP's SCIM client IPs are allowed. ngrok does not support SCIM provisioning of users with passwords for authentication. For that reason, you must first configure an SSO Identity Provider before you can configure a SCIM integration. ngrok's SCIM implementation is limited to the operations necessary to support user provisioning and deprovisioning. For instance, it does not implement bulk operations or change password behavior, sorting, or etags. It does not support Groups. ngrok's SCIM implementation supports three properties on the User schema: `userName`, `displayName`, and `active`. The `userName` property must be mapped to a user's email address. The `active` property can be used to control whether a [user is disabled](/iam/users/#disabling). `displayName` should be mapped to a user's full name. Consult the [SCIM Provisioning documentation](/iam/users/#scim) for additional details on how users are provisioned with SCIM. ## Pricing Dashboard Single Sign-On is available on the Pay-as-you-go plan with the SSO & RBAC add-on enabled. [Contact Support](mailto:support@ngrok.com) for SCIM availability.