# Single Sign On (SSO)

{% hint style="info" %}
Single Sign On (SSO) is a **premium** feature, only available for Enterprise.

For up-to-date information on our plans and their associated features, see our pricing page.
{% endhint %}

Enterprise customers can request Single Sign On authentication.

This is useful if you have enterprise authentication requirements around using software with SSO.

To learn more about Single Sign On, contact the [Roboflow sales team](https://roboflow.com/sales) or your account representative.

## SSO Profile-Based Authorization Groups

Enterprise customers using SSO can configure **authorization group attributes** to automatically assign users to Roboflow authorization groups based on their identity provider (IdP) profile attributes, such as Active Directory (AD) group memberships.

When a user signs in via SSO, Roboflow reads the specified attributes from the SSO profile's `sign_in_attributes` and maps them to Roboflow authorization groups. This allows you to manage access control through your IdP rather than manually assigning groups in Roboflow.

## Workspace Access Gating by AD Group

Enterprise SSO environments support per-workspace access gating based on AD group membership. Each allowed workspace in your SSO environment can be configured with:

* **Required AD Groups**: Only users who belong to at least one of the specified AD groups can access the workspace. Users who no longer meet the requirement lose access on their next sign-in.
* **Auto-join**: When enabled, users who meet the required AD groups (or all SSO users, if no groups are configured) are automatically added to the workspace on sign-in, without needing an invite.

These options can be combined per workspace:

| Required AD Groups | Auto-join | Behavior                                                                     |
| ------------------ | --------- | ---------------------------------------------------------------------------- |
| Not set            | Off       | Default: admin must invite users manually                                    |
| Not set            | On        | All SSO users are auto-added to the workspace                                |
| Set                | Off       | Existing members who don't match are removed; new users still need an invite |
| Set                | On        | Matching users are auto-added; non-matching members are removed              |

{% hint style="info" %}
Roboflow admins are exempt from AD group gating and always retain workspace access. The default workspace for the SSO environment is never gated.
{% endhint %}

AD group membership is refreshed each time a user signs in through your IdP. If a user is removed from a required AD group in your IdP, they will lose access to gated workspaces on their next Roboflow sign-in.

To configure workspace access gating, contact the [Roboflow sales team](https://roboflow.com/sales) or your account representative.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.roboflow.com/workspaces/single-sign-on-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.