# Enabling and configuring SSO in Fabricate

You configure the single sign-on (SSO) connection from the **SSO** page of **Account Settings**.

<figure><img src="https://4109733485-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FmoU4gTR9LxlzHeWmQCUZ%2Fuploads%2FmiGOLJiTg2SyRbEKJyUM%2FAccount_SingleSignon.png?alt=media&#x26;token=51801aaa-d245-4d2b-be04-7178e10180ea" alt=""><figcaption><p>Single Sign-on (SSO) section of the My Account page</p></figcaption></figure>

## **Enabling SSO in Fabricate** <a href="#sso-enable" id="sso-enable"></a>

To enable SSO for your account, toggle **Enabled** to the on position.

## **Providing the SSO connection information** <a href="#sso-connection-info" id="sso-connection-info"></a>

To set up the connection to your SSO provider:

1. In the **Issuer URL** field, provide the connection URL for the SSO client.
2. In the **Client ID** field, provide the client identifier for the SSO client.
3. In the **Client Secret** field, provide the client secret for the SSO client.

## **Requiring SSO for account users** <a href="#sso-enforce" id="sso-enforce"></a>

By default, SSO is not required for account users. An account can have a combination of SSO users and users who join with an email address and password.

To require all account users to join through SSO, toggle **Enforce SSO** to the on position.

## **Identifying the allowed email domains** <a href="#sso-allowed-domains" id="sso-allowed-domains"></a>

Before you can allow an email domain for SSO, you must first [add the domain as an allowed domain for your account](https://docs.tonic.ai/fabricate/fabricate-accounts-and-users/account-domains).

The **Email Domains** configuration limits the SSO users to those who have email addresses with specific domains.

To add a domain to the allowed domains, select it from the dropdown list. Fabricate adds the selected domains as tags above the dropdown list.

To remove a domain, click its delete icon.

## Configuring workspace access for new SSO users <a href="#sso-workspace-access" id="sso-workspace-access"></a>

Under **Workspaces**, you configure workspace access for new SSO users. By default, new users have no access to existing workspaces.

You can:

* Grant access to specific workspaces. For each workspace, you select the workspace role to assign.
* Select a workspace role to assign for all workspaces that you do not specifically list.

### Granting access to specific workspaces <a href="#sso-workspace-list" id="sso-workspace-list"></a>

To grant access to a specific workspace:

1. From the workspace dropdown list, select the workspace.
2. From the role dropdown list, select the workspace role to assign.
3. Click **Add**.

After you add a workspace, you can change the assigned role.

To remove a workspace from the list, click its delete icon.

### Assigning a role to other workspaces <a href="#sso-workspace-role" id="sso-workspace-role"></a>

To grant a specific role for workspaces that are not in the list, from the **Default role for other workspaces** dropdown list, select the workspace role.

The default value is **None**, which indicates to not grant any access to workspaces that are not listed.

## **Testing the SSO connection**

To test the SSO connection, click **Test Connection**.