# SSO

<div align="left"><figure><img src="https://1182587842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHyzvhgDL3TrE6D5Hun93%2Fuploads%2F1udgJ676PFsUgTTJRG7s%2Faivoiceplus_sso_gamified_how-to-use.png?alt=media&#x26;token=e6cc156e-33f7-484f-84b3-0f314dd395f2" alt=""><figcaption></figcaption></figure></div>

> ### An *<mark style="color:purple;">SSO</mark>*, aka *<mark style="color:purple;">Single Sign-On</mark>*, is an authentication method that allows a user to *<mark style="color:purple;">log in once with a single set of credentials</mark>* and access multiple applications or services.&#x20;

> ### This *<mark style="color:purple;">eliminates the need to remember multiple usernames and passwords for different accounts</mark>*, increasing convenience and security by reducing the risk of password fatigue and weak or reused credentials.&#x20;

### *<mark style="color:purple;">How</mark>* It Works

* **User login**: A user logs into the first application (the identity provider) with their single set of credentials.&#x20;
* **Authentication**: The identity provider authenticates the user and generates a secure digital "token" that proves their identity.&#x20;
* **Access**: When the user tries to access another connected application (a service provider like us AI Voice+ app), the browser sends the token to that service.&#x20;
* **Verification**: The service provider (that's us in outr case) verifies the token with the identity provider and grants the user access without requiring them to log in again.&#x20;

### Key *<mark style="color:purple;">Benefits</mark>*

* **For users**: Simplifies access to multiple applications, saving time and frustration from remembering numerous passwords.&#x20;
* **For organizations**: Reduces the risk of security breaches from weak or forgotten passwords, improves productivity, and allows for centralized management of user access.&#x20;

### Common *<mark style="color:purple;">Examples</mark>*

* **Enterprise use**: Employees logging into a single portal to access various corporate applications like email, CRM, and HR systems & e.g. AI Voice+ provides the key endpoint into our app for you as the end-user.&#x20;
* **Consumer use**: Using a Google or Apple account to sign into multiple third-party apps and websites if your IdP (aka your organization/company) has setup OAuth2 for Google, Apple, Microsoft, etc.

### *<mark style="color:purple;">Easy</mark>*. In-App. *<mark style="color:purple;">Setup</mark>*.

<div align="left"><figure><img src="https://1182587842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHyzvhgDL3TrE6D5Hun93%2Fuploads%2FNvr5gOE5NBdurar8vo7W%2Faivoiceplus_sso.png?alt=media&#x26;token=7d16c599-a2c7-453c-9f27-c2ce99c7bab4" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="https://1182587842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHyzvhgDL3TrE6D5Hun93%2Fuploads%2FDJVAOgH6rvKVsG4FnQGo%2Faivoiceplus_sso_main.png?alt=media&#x26;token=b75dbfb2-146f-4691-a44b-fc964cbe4fc3" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="https://1182587842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHyzvhgDL3TrE6D5Hun93%2Fuploads%2F17yd5ezdOynOqPX0oEdU%2Faivoiceplus_sso.png?alt=media&#x26;token=cd2fc21f-5a19-4230-a4b2-f2cb816acb04" alt=""><figcaption></figcaption></figure></div>

### ...*<mark style="color:purple;">more</mark>* info

* **Hybrid SSO (SAML/OIDC)** — Organizations can connect their own Identity Providers (Okta, Authentik, Azure AD, etc.) via OIDC. SSO is triggered automatically by domain detection on the login page.
* **SSO Domain Detection** — As users type their email, the login form checks the domain against `Organization SSO Providers`; a branded "Sign in with \[Provider]" banner appears on match.
* **SSO Edge Functions** — `SSO Authorize` generates the OIDC authorization URL with HMAC-SHA256 signed state (CSRF protection, 10-minute TTL); `SSO Callback` verifies the signed state, handles code exchange, auto-provisions new users, links them to organizations, and signs them in via magic links.
* **SSO Security Hardening** — Redirect URI validation against allowed origins whitelist; domain format regex validation; scalable user lookup via profiles (not `listUsers()`); defense-in-depth org re-derivation from email domain; existing user org linkage on SSO login; `UNIQUE` partial index on `SSO Domain` prevents domain collisions.
* **SSO Admin Settings** — Organization admins configure OIDC settings (Issuer URL, Client ID, Client Secret, scopes, SSO domain) from Settings → SSO with a dedicated management UI.
* **Gamified SSO Setup Guide** — Interactive 5-step "How to Use" roadmap with XP tracking, progress bar, completion badges, confetti celebration, and localStorage persistence to guide admins through IdP configuration.

{% content-ref url="../active-development/325+-features-shipped" %}
[325+-features-shipped](https://docs.lisaiceland.com/platform+/active-development/325+-features-shipped)
{% endcontent-ref %}

{% content-ref url="../active-development/50+-competitive-advantages" %}
[50+-competitive-advantages](https://docs.lisaiceland.com/platform+/active-development/50+-competitive-advantages)
{% endcontent-ref %}