# Security (Single Sign-On) SAML 2.0 is the most recent iteration of the Security Assertion Markup Language as established by the OASIS organization. This standard facilitates the exchange of authentication and authorization information across different security domains. SAML 2.0 operates as an XML-based protocol that utilizes security tokens with assertions to relay data about a principal (typically an end user) between a SAML authority (identity provider or IdP) and a SAML consumer (service provider or SP). ## SAML Authentication Workflow 1. The user navigates to your Updraft subdomain and clicks the LOGIN with SSO button. 2. The user is then redirected to your Identity Provider (IdP) login page. 3. Using the IdP's web-based authentication system, the user logs in, and the IdP sends a SAML Response to the Updraft callback endpoint. 4. If the user is authenticated and has the necessary permissions in Updraft, they are granted access to the Updraft Organization where only authorized apps are visible. 1. New Accounts in Updraft are created (no e-mail invitation or activation is sent) 2. Owner or Admin is after the first login of the user able to add it to the Updraft projects ## SAML Authentication Workflow Group Mapping Sometimes, it’s very helpful to align SAML group names from your Identity Provider (IdP) with the actual group names in Updraft ([Permission Groups](/dashboard/usermanagement/permission-groups.md)). This step is optional and only required if your IdP doesn’t send the actual group name, but instead provides an ID associated with the group in the IdP. You can set up this group mapping in the settings for each SAML configuration provider, using key/value pairs. Map the Permission Groups you set in Updraft with the groups in your SAML configuration. Updraft will automatically recognize new groups with each authentication and add user to the permission group in Updraft. After that you can assign the permission groups to your app projects. This approach makes it possible to carry out almost all user management outside Updraft. {% content-ref url="/pages/APVq0XiTub0iEAqRG3If" %} [Single Sign-On with Okta](/dashboard/account/security-single-sign-on/single-sign-on-with-okta.md) {% endcontent-ref %} {% content-ref url="/pages/vQcHwK3Wrg7A1zd6F7dZ" %} [Single Sign-On with Google Worspace](/dashboard/account/security-single-sign-on/single-sign-on-with-google-worspace.md) {% endcontent-ref %} {% content-ref url="/pages/0QXUdkGOuT2ox9RbkRq9" %} [Single Sign-On with Microsoft Entra](/dashboard/account/security-single-sign-on/single-sign-on-with-microsoft-entra.md) {% endcontent-ref %} {% content-ref url="/pages/sw5w7BqccH0i4OZDDH17" %} [Single Sign-On with JumpCloud](/dashboard/account/security-single-sign-on/single-sign-on-with-jumpcloud.md) {% endcontent-ref %} {% content-ref url="/pages/qTb1XqL36zOmSGv32QzS" %} [Single Sign-On with Ping Identity](/dashboard/account/security-single-sign-on/single-sign-on-with-ping-identity.md) {% endcontent-ref %} {% content-ref url="/pages/51oc0oYKbte29TLz4HBd" %} [Custom SSO (SAML)](/dashboard/account/security-single-sign-on/custom-sso-saml.md) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.getupdraft.com/dashboard/account/security-single-sign-on.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.