> ## Documentation Index
> Fetch the complete documentation index at: https://support.affinity.co/llms.txt
> Use this file to discover all available pages before exploring further.

# How To Set Up Custom Single Sign On SSO With Affinity

> Help center reference: How To Set Up Custom Single Sign On SSO With Affinity

<Note>**How-to** — task-oriented recipe.</Note>

## What is SSO?

Single Sign-On (SSO) is an authentication method that allows users to use one set of login credentials to log into multiple applications.

## Who can set up custom SSO with Affinity?

* Only those on the **Enterprise** tier will be able to set up custom SSO access to their Affinity account.

## What are the different syncing options available with custom SSO?

* If your team is on **Google** and has a different SSO provider, your IT must set up a [domain-wide delegation](/s/article/How-to-enable-domain-wide-delegation-for-Google-impersonation-Enterprise-only), which will allow syncing or non-syncing at the entire organization level.
  * In other words, your IT team will **not** be able to set up syncing permissions for some and non-syncing permissions for others at the individual level - it has to be one or the other for the entire organization.
* If your team is on **Azure** (Office365), then the [Microsoft Graph Client Credential flow](/s/article/Setting-up-Microsoft-Graph-Client-Credentials) is required to sync data, which will allow syncing or non-syncing at the individual level.
  * In other words, your IT team will be able to set up syncing permissions for some and non-syncing permissions for others at the individual level.
* If your team is on **Microsoft On-Premise (or Hosted) Exchange**, then an Impersonation Service Account is required to sync data, which will allow syncing or non-syncing at the individual level.
  * In other words, your IT team will be able to set up syncing permissions for some and non-syncing permissions for others at the individual level.

## How to set up SSO with SAML 2.0

1. Affinity needs the following information from your IT/Admin:
   * Audience URI/Client/SP Entity ID (e.g. affinity)
   * Name ID Format set to **Email Address**
   * Your Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
   * Your Metadata URL. (This will contain the cert)
   * (Optional) Set relay state to **IDP-INITIATED-FLOW**. This is only necessary if you wish to configure a seamless IDP flow.
   * **Note**: Make sure one of the attributes is "**email**" (see example below).
     ```text theme={null}
     email:john.doe@company.com
     ```

2. Redirect (reply) URIs for the Affinity Web Application. Also known as Single sign on URL.
   * `https://[subdomain].affinity.co/auth/sso/saml-callback` (login)
   * `https://[subdomain].affinity.co/sso/callback` (needed for mobile login)
   * `https://[subdomain].affinity.co/logout` (logout)

3. For setting up data syncing, please follow one of the three options below:
   * If your team is on **Google** and has a different SSO provider, your IT must set up a [domain-wide delegation](/s/article/How-to-enable-domain-wide-delegation-for-Google-impersonation-Enterprise-only).
   * If your team is on **Azure** (Office365), then the [Microsoft Graph Client Credential flow](/s/article/Setting-up-Microsoft-Graph-Client-Credentials) is required to sync data.
   * If your team is on **Microsoft On-Premise (or Hosted) Exchange**, then an Impersonation Service Account is required to sync data.
     * Here are the necessary pieces of information that you/your team must send over to [support@affinity.co](mailto:support@affinity.co) to set up your Impersonation Service Account and leverage Affinity:
       * Mail server EWS URL
       * Impersonation Email Address
       * Impersonation Username (not always required)
       * Impersonation Password

## How to set up SSO with Open ID

Using OpenID, you will most likely need to set up two apps - one for web (see Step 2) and one for mobile (see Step 3).

1. Affinity needs the following information from your IT/Admin:
   * Audience URI/Client/SP Entity ID (eg. affinity)
   * Client Secret
   * Name ID Format set to **Email Address**
   * Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
   * OIDC Discovery Endpoint
   * Mobile Client ID
   * Mobile Client Secret
   * (Optional) Set relay state to **IDP-INITIATED-FLOW**. This is only necessary if you wish to configure a seamless IDP flow.
   * **Note**: Make sure one of the attributes is "**email**" (see example below).
     ```text theme={null}
     email:john.doe@company.com
     ```

2. Redirect (reply) URIs for the Affinity Web Application (for web)
   * Sign in: `https://[subdomain].affinity.co/auth/sso/openid-callback`
   * Sign out: `https://[subdomain].affinity.co/logout`

3. Mobile Login/Logout redirect URIs (for mobile)
   * `AffinitySSOLogin://login`
   * `AffinitySSOLogin://logout`

4. For setting up data syncing, please follow one of the three options below:
   * If your team is on **Google** and has a different SSO provider, your IT must set up a [domain-wide delegation](/s/article/How-to-enable-domain-wide-delegation-for-Google-impersonation-Enterprise-only).
   * If your team is on **Azure** (Office365), then the [Microsoft Graph Client Credential flow](/s/article/Setting-up-Microsoft-Graph-Client-Credentials) is required to sync data.
   * If your team is on **Microsoft On-Premise (or Hosted) Exchange**, then an Impersonation Service Account is required to sync data.
     * Here are the necessary pieces of information that you/your team must send over to [support@affinity.co](mailto:support@affinity.co) to set up your Impersonation Service Account and leverage Affinity:
       * Mail server EWS URL
       * Impersonation Email Address
       * Impersonation Username (not always required)
       * Impersonation Password

## Frequently Asked Questions

**What type of SSO does Affinity support?**

* Affinity currently supports SAML 2.0 or OpenID Connect as an authentication method.

**Does Affinity support Service Provider initiated (Web Browser) SSO?**

* Yes. Set relay state to **IDP-INITIATED-FLOW**.

**What claims (attribute) does Affinity require in the callback request?**

* We only require the user's email address.

**What's the most secure hash algorithm that Affinity accepts?**

* SHA256.

**Does Affinity require token encryption?**

* We do not require token encryption. We won't make any additional requests after initial authentication, so this shouldn't be necessary.

**Does Affinity require Relaying Party-Initiated (RP) Sign-On?**

* No. Affinity is a cloud application accessible over the public internet; most of our users access the application directly by our URL on their browser.

**Does Affinity require Relay State support?**

* No.

**Have you enabled your site to automatically update your federated metadata information?**

* Yes. We periodically refresh the metadata stored for your organization from your metadata URL. For example, if your public key changes, Affinity will detect the change and continue to validate signatures accordingly.
