# Enabling and configuring SSO in Fabricate

You configure the single sign-on (SSO) connection from the **SSO** page of **Account Settings**.

<figure><img src="/files/vGNN9Pyqv0z7RenLxylX" alt=""><figcaption><p>Single Sign-on (SSO) section of the <strong>Account Settings</strong> page</p></figcaption></figure>

## **Enabling SSO in Fabricate** <a href="#sso-enable" id="sso-enable"></a>

To enable SSO for your account, toggle **Disabled** to **Enabled**.

## **Providing the SSO connection information** <a href="#sso-connection-info" id="sso-connection-info"></a>

To set up the connection to your SSO provider:

1. In the **Issuer URL** field, provide the connection URL for the SSO client.
2. In the **Client ID** field, provide the client identifier for the SSO client.
3. In the **Client Secret** field, provide the client secret for the SSO client.

## **Requiring SSO for account users** <a href="#sso-enforce" id="sso-enforce"></a>

By default, SSO is not required for account users. An account can have a combination of SSO users and users who join with an email address and password.

To require all account users to join through SSO, toggle **Enforce SSO** to the on position.

## Managing SSO groups handling in Fabricate <a href="#sso-group-handling" id="sso-group-handling"></a>

You can configure [account groups](/fabricate/fabricate-accounts-and-users/managing-account-groups.md) in Fabricate.

If you also use SSO, then you can synchronize your SSO groups with your Fabricate account groups.

### Synchronizing SSO groups with Fabricate account groups <a href="#sso-group-synchronize" id="sso-group-synchronize"></a>

To enable synchronization between SSO groups and Fabricate account groups, toggle **Sync groups from SSO** to the on position.

When Fabricate synchronizes the groups, then when an SSO user logs in:

1. Fabricate gets the SSO group that they belong to.
2. Fabricate looks for a Fabricate account group that has a matching name.
3. If there is already an account group with that name, then Fabricate adds the user to that group. The user inherits any workspace permissions that are granted to the group.
4. If there is not a matching account group, Fabricate then checks whether the SSO group matches the **Group Filter** regular expression.

   \
   If the group name matches the filter expression, then Fabricate automatically creates the Fabricate account group and adds the user to it.

   \
   If the group name does not match the filter expression, then Fabricate does not create the Fabricate account group.&#x20;

### Limiting the SSO groups for which to create Fabricate groups <a href="#sso-group-filter" id="sso-group-filter"></a>

When you synchronize your SSO groups with Fabricate, the **Group Filter** field allows you to identify which SSO groups to automatically create Fabricate groups for.

For example, you might only want users from the development group to have access to Fabricate, but not the operations group.

In the **Group Filter** field, type the regular expression that an SSO group name must match in order to be created automatically in Fabricate.

## Identifying the allowed email domains <a href="#sso-allowed-domains" id="sso-allowed-domains"></a>

Before you can allow an email domain for SSO, you must first [add the domain as an allowed domain for your account](/fabricate/fabricate-accounts-and-users/account-domains.md).

The **Email Domains** configuration limits the SSO users to those who have email addresses with specific domains.

To add a domain to the allowed domains, select it from the dropdown list. Fabricate adds the selected domains as tags above the dropdown list.

To remove a domain, click its delete icon.

## Configuring workspace access for new SSO users <a href="#sso-workspace-access" id="sso-workspace-access"></a>

Under **Workspaces**, you configure workspace access for new SSO users. By default, new users have no access to existing workspaces.

<figure><img src="/files/SuslYamFZAyXspCjNFcb" alt=""><figcaption><p>Workspaces section of the SSO page</p></figcaption></figure>

You can:

* Grant access to specific workspaces. For each workspace, you select the workspace role to assign.
* Select a workspace role to assign for all workspaces that you do not specifically list.

### Granting access to specific workspaces <a href="#sso-workspace-list" id="sso-workspace-list"></a>

To grant access to a specific workspace:

1. From the workspace dropdown list, select the workspace.
2. From the role dropdown list, select the workspace role to assign.
3. Click **Add**.

After you add a workspace, you can change the assigned role.

To remove a workspace from the list, click its delete icon.

### Assigning a role to other workspaces <a href="#sso-workspace-role" id="sso-workspace-role"></a>

To grant a specific role for workspaces that are not in the list, from the **Default role for other workspaces** dropdown list, select the workspace role.

The default value is **None**, which indicates to not grant any access to workspaces that are not listed.

## **Testing the SSO connection**

To test the SSO connection, click **Test Connection**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/fabricate/fabricate-accounts-and-users/managing-account-users/single-sign-on-sso/sso-fabricate-config.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.