> ## Documentation Index
> Fetch the complete documentation index at: https://wavecnct.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SAML)

> Let your team log in to Wave using your organization's identity provider

<Info>
  Available on the **Enterprise** plan.
</Info>

## Overview

SAML SSO lets your team log in to Wave through your organization's identity provider (IdP). Instead of managing a separate Wave password, users authenticate with the same credentials they use for everything else.

Wave supports **SAML 2.0** and works with any standards-compliant identity provider, including Okta, Microsoft Entra ID, Google Workspace, OneLogin, JumpCloud, and Ping Identity.

Wave also supports **OpenID Connect (OIDC)**. Contact [support@wavecnct.com](mailto:support@wavecnct.com) if you need a guide.

## How It Works

There are two login paths depending on whether the user already has a Wave account.

<Tip>
  Users can also initiate SSO directly with this URL: `https://app.wavecnct.com/auth/sso?org=YOUR_ORG_SLUG`. Replace `YOUR_ORG_SLUG` with your organization slug, found in your organization settings.
</Tip>

**No account yet**: The user clicks **Sign in with SSO** on the Wave login page and enters your organization's username. This username is found in your organization settings. Wave redirects them to your identity provider, they authenticate, and their account is created automatically on first login.

**Existing account with SSO enforced**: The user enters their email as usual. Wave detects that SSO is enforced for their organization and redirects them to your identity provider to authenticate.

<Tip>
  We recommend provisioning users in advance with [SCIM](/security/scim) so accounts are ready before your team logs in for the first time.
</Tip>

## Setup

SAML SSO is configured by the Wave team. To set it up:

<Steps>
  <Step title="Get Wave's SAML details">
    Contact your Wave account manager or [support@wavecnct.com](mailto:support@wavecnct.com). They will provide:

    * **ACS URL** (Assertion Consumer Service URL)
    * **Entity ID**
    * **Name ID Format**: Email address
  </Step>

  <Step title="Create a Wave app in your IdP">
    In your identity provider, create a new SAML 2.0 application for Wave. Use the ACS URL and Entity ID from the previous step.
  </Step>

  <Step title="Share your IdP metadata with Wave">
    Copy your identity provider's **SAML metadata URL** (or download the XML file) and send it to your Wave account manager.
  </Step>

  <Step title="Test and enable">
    Wave configures the connection. Test with a user before enabling SSO for your full organization.
  </Step>
</Steps>

## Enforcing SSO

Once SSO is enabled, you can enforce it so all users must log in through your identity provider. This disables password-based login for your organization.

Contact your Wave account manager to enforce SSO after testing is complete.