# Universal (SAML)

{% hint style="info" %}
This feature is available in **Premium plan and higher**.
{% endhint %}

{% hint style="danger" %}
**Remember to grant your users access permissions to GoodAccess. Users without them won't be able to log in.**
{% endhint %}

You may set up Single Sign-On (SSO) in [Control Panel > Settings > SSO & Identity](https://app.goodaccess.com/sso-and-identity/).

## Step 1

1. Go to the settings of your identity provider and look for an option to add a new application.
2. If asked for the **sign-in method**, select **SAML (2.0)**.
3. Name your application and choose a logo.

## Step 2

{% hint style="danger" %}
These details are general and are the same for every identity provider. However, individual identity providers can use different names for the fields and the settings may vary in details.

If you are lost, we recommend checking our other [guides](https://support.goodaccess.com/configuration-guides/features/sso-scim) for identity providers where you can gain more insight on the setup of yours. If that doesn't help you, check the guides from your provider or [contact us](https://www.goodaccess.com/contact).
{% endhint %}

When asked for **SAML configuration**, enter the details from GoodAccess - **(2) GoodAccess links**.

* **Identifier** - Entity ID
* **Reply URL** - Assertion Consumer Service URL
* **Sign on URL** - Login URL
* **Relay State** - Relay State

For **User Attributes & Claims** create the following attributes:

{% hint style="warning" %}
**Important:** Attribute names are case-sensitive. Please enter them exactly as shown (all lowercase).
{% endhint %}

| Name      | Name Format | Value / Source Attribute                                                                           |
| --------- | ----------- | -------------------------------------------------------------------------------------------------- |
| **email** | Unspecified | Select the attribute representing the user's primary email address (e.g., `user.mail` or `email`). |
| **name**  | Unspecified | Select the attribute representing the user's full name (e.g., `user.displayname` or `name`).       |

## Step 3

Add **permissions** for the application to an existing group within your identity provider or create a new one and assign users to it.

## Step 4

Open your newly created application, look for SAML settings and copy the following details into **GoodAccess - (3) Identity Provider Links**.

* **SSO/Login URL** - Sign in URL
* **Identifier/Issuer** - Entity ID
* **Certificate** - X509 signing certificate

## Step 5

Now switch back to GoodAccess, click **Continue**, and **Submit**.