# Single sign on setup
> This bundle contains all pages in the Single sign on setup section.
> Source: https://www.union.ai/docs/v2/union/deployment/byoc/single-sign-on-setup/

=== PAGE: https://www.union.ai/docs/v2/union/deployment/byoc/single-sign-on-setup ===

# Single sign on setup

> **📝 Note**
>
> An LLM-optimized bundle of this entire section is available at [`section.md`](https://www.union.ai/docs/v2/union/deployment/byoc/section.md).
> This single file contains all pages in this section, optimized for AI coding agent context.

Union.ai authentication uses OAuth2 with Okta and supports SAML and OIDC-compliant identity providers (IdP) to configure single sign on (SSO).

To enable SSO, create an app for your preferred identity provider and provide the associated secrets to the Union.ai team.
The team will then complete the process.

## Google OpenID Connect

To configure Google OpenID Connect, see **BYOC deployment > Single sign on setup > Google OpenID Connect**.

## Microsoft Entra ID (formerly Azure AD)

To configure Entra ID (Azure AD), see **BYOC deployment > Single sign on setup > Microsoft Entra ID (formerly Azure AD)**.

## Other identity providers

To configure other identity providers, see **BYOC deployment > Single sign on setup > Other identity providers**.

=== PAGE: https://www.union.ai/docs/v2/union/deployment/byoc/single-sign-on-setup/google-oidc ===

# Google OpenID Connect

To set up your Union.ai instance to use Google OpenID Connect as the identity provider, follow the directions below.

> [!NOTE] Google Documentation
> In this article, we cover the same steps as in the
> [OpenID Connect](https://developers.google.com/identity/openid-connect/openid-connect) Google documentation,
> but with additional directions specific to Union.ai.

## Setting up OAuth 2.0

First, select an existing project or set up a new project in the
[Google Cloud Console](https://console.cloud.google.com).

1. Navigate to the **Clients** section for [Google Auth Platform](https://console.cloud.google.com/auth/).

2. Click **CREATE CLIENT**. If this is your first client, you might need to provide additional app details. There is no special configuration needed from the Union.ai side.

3. Under **Create OAuth client ID**, select **Web application** as the application type and assign a name.

4. Under **Authorized redirect URIs**, add an entry with the following callback URI:
   `https://signin.hosted.unionai.cloud/oauth2/v1/authorize/callback`.

5. Click **Create**.

## Obtain OAuth 2.0 credentials

Next, retrieve your credentials: Click on your configured client and copy the values for **Client ID** and **Client secret** to a text file on your computer.

![OAuth 2.0 credentials](https://www.union.ai/docs/v2/union/_static/images/user-guide/data-plane-setup/single-sign-on-setup/google-oidc/oauth-credentials.png)

## Share the client ID and client secret securely with Union.ai

Finally, you will need to share the client ID and client secret securely with Union.ai:

1. Copy the public key provided by Union.ai here: 📥 [public-key.txt](/_static/public/public-key.txt)

2. Encrypt the given text file on your computer with a PGP tool of your choice.

3. Share the encrypted message with the Union.ai team over Slack.

=== PAGE: https://www.union.ai/docs/v2/union/deployment/byoc/single-sign-on-setup/microsoft-entra-id ===

# Microsoft Entra ID (formerly Azure AD)

To set up your Union.ai instance to use Microsoft Entra ID as the identity provider, follow the directions below.

> [!NOTE] Microsoft documentation
> In this article, we cover the same steps as the
> [Quickstart: Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) Microsoft documentation, but with additional directions specific
> to Union.ai.

## Register an Entra ID application

1. Log into your Azure account as a cloud application administrator or higher permission level.

1. In the identity drop down on the top right of the page (indicated by the email you are currently logged in as) select **Switch directory**, then select the directory yin which you want to register this application.

1. Browse to **Identity > Applications > App registrations** and select **New registration**.

1. Under **Name**, enter an appropriate display name. For example, `Union.ai Production`.

1. Under **Supported account types**, select **Accounts in this organizational directory only**.

1. Under **Redirect URI (optional)**, select **Web** and enter the following URI:

   `https://signin.hosted.unionai.cloud/oauth2/v1/authorize/callback`

1. Click **Register**.

> [!NOTE] Make the app visible to users
> New app registrations are hidden to users by default. You must enable the app when you are ready for
> users to see the app on their **My Apps** page.
> To enable the app, in the Microsoft Entra admin center, navigate to
> **Identity > Applications > Enterprise > applications** and select the app.
> Then, on the **Properties** page, toggle **Visible to users?** to **Yes**.

## Copy the values needed by the Union.ai team

When registration finishes, the Microsoft Entra admin center will display the app registration's **Overview** page, from which you can copy the Application (client) ID, Directory (tenant) ID, and client secret needed by the Union.ai team.

### Application (client) ID and directory (tenant) ID

Copy the **Application (client) ID** and **Directory (tenant) ID** from the overview page to a text file on your computer.

![Application and directory ID](https://www.union.ai/docs/v2/union/_static/images/user-guide/data-plane-setup/single-sign-on-setup/microsoft-entra-id/entra-id-application-and-directory-id.png)

### Client secret

To get the **client secret**, on the overview page, go to **Client credentials** and click **Add a certificate or secret**.

![Client credentials](https://www.union.ai/docs/v2/union/_static/images/user-guide/data-plane-setup/single-sign-on-setup/microsoft-entra-id/entra-id-client-credentials.png)

On the subsequent page, under **Client secrets**, click **New client secret** to generate a new secret.
Copy the **Value** of this secret to a plain text file on your computer.

![Client secret](https://www.union.ai/docs/v2/union/_static/images/user-guide/data-plane-setup/single-sign-on-setup/microsoft-entra-id/entra-id-client-secret.png)

## Share the client secret securely with Union.ai

1. Copy the public key provided by Union.ai here: 📥 [public-key.txt](/_static/public/public-key.txt)

2. Go to [https://pgptool.net](https://pgptool.net/).

3. Click the **Encrypt (+Sign)** tab.

4. Enter public key in **Public Key (For Verification)** section.

5. Skip the **Private Key** section.

6. Enter the **client secret** in plain text and encrypt it.

7. Save encypted text to a file and share with the Union.ai team over Slack.

8. Delete the **client secret** from the text file on your computer.

## Share the IDs with Union.ai

Share the **application (client) ID** and **directory (tenant) ID** with the Union.ai team over Slack.
These values do not have to be encrypted.

=== PAGE: https://www.union.ai/docs/v2/union/deployment/byoc/single-sign-on-setup/other-identity-providers ===

# Other identity providers

Depending on the type of identity provider you are using, open the appropriate directions below on the Okta site:

- [Okta-to-Okta](https://developer.okta.com/docs/guides/add-an-external-idp/oktatookta/main/)

- [OpenID Connect (OIDC)](https://developer.okta.com/docs/guides/add-an-external-idp/openidconnect/main/)

- [SAML 2.0](https://developer.okta.com/docs/guides/add-an-external-idp/saml2/main/)

Now, referencing those directions, follow the steps below:

1. Navigate to the section with the heading **Create an app at the Identify Provider**.

1. Complete all the steps in that section and make a note of the **application (client) ID**.

1. Where a callback URI needs to be specified, use `https://signin.hosted.unionai.cloud/oauth2/v1/authorize/callback`.

1. The last step in the setup will generate the **client secret**. Copy this value to a text file on your computer.
   Make a copy of this value.

## Share the client secret securely with the Union.ai team

1. Copy the public key provided by Union.ai here: 📥 [public-key.txt](/_static/public/public-key.txt)

2. Go to [https://pgptool.net](https://pgptool.net/).

3. Click the **Encrypt (+Sign)** tab.

4. Enter public key in **Public Key (For Verification)** section.

5. Skip the **Private Key** section.

6. Enter the **client secret** in plain text and encrypt it.

7. Save encypted text to a file and share with the Union.ai team over Slack.

8. Delete the client secret from the text file on your computer.

## Share the application (client) ID with Union.ai

Share the **application (client) ID** with the Union.ai team over Slack.
This value does not have to be encrypted.