# Single sign-on (SSO) Tonic Textual respects the access control policy of your single sign-on (SSO) provider. To access Textual, users must be granted access to the Textual application within your SSO provider. Self-hosted instances can use any of the available SSO options. Textual Cloud organizations can enable Okta SSO. To enable SSO, you first complete the required configuration in the SSO provider. You then configure Textual to connect to it. For self-hosted instances, you use Textual environment variables for the configuration. For a Textual Cloud organization, you use the **Single Sign-On** tab on the **Permission Settings** page. After you enable SSO, users can use SSO to create an account in Textual. For self-hosted instances, to only allow SSO authentication, set the [environment variable](https://docs.tonic.ai/textual/textual-install-administer/configuring-textual/textual-env-var-configure) `REQUIRE_SSO_AUTH` to `true`. For Textual Cloud, this is configured in the application. When SSO is required, Textual disables standard email/password authentication. All account creation and login is handled through your SSO provider. If multi-factor authentication (MFA) is set up with your SSO, then all authentication must go through your provider's MFA. You can [view the list of SSO groups whose members have logged into Textual](https://docs.tonic.ai/textual/textual-install-administer/user-access-textual/textual-sso/sso-view-groups). Tonic Textual supports the following SSO providers:
AzureUse Azure to enable SSO on Textual.textual-sso-azure
GitHubUse GitHub to enable SSO on Textual.textual-sso-github
GoogleUse Google to enable SSO on Textual.textual-sso-google
KeycloakUse Keycloak to enable SSO on Textual.keycloak
OktaUse Okta to enable SSO on Textual.Available for both self-hosted instances and Textual Cloud.textual-sso-okta
OpenID Connect (OIDC)Use OIDC to enable SSO on Textual.oidc