---
title: "Activate and Manage Single Sign-On"
slug: "activate-and-manage-single-sign-on"
description: "With Single Sign-On (SSO) activated you can log into Gladly without the need for a separate username and password. Learn more."
updated: 2025-09-29T16:30:36Z
published: 2025-09-29T16:30:36Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.gladly.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Activate and Manage Single Sign-On

| **REQUIRED USER ROLE** Administrator | **PERMISSION OVERVIEW** [View permissions by role](https://help.gladly.com/docs/managing-users-and-roles#roles-and-responsibilities) |
| --- | --- |

With SSO activated, users can log into Gladly without needing a separate username and password. If SSO is already implemented in your company, they can use the same credentials they already use to access other services and applications under the umbrella of your Identity Provider.

## **Before you start**

Before you activate SSO, we recommend that you first review the following:

- SSO is not required to use Gladly, but we strongly encourage using it if you already use SSO internally to access other apps and services.
  - If using SSO, all users are required to use SSO to access Gladly. You can't have some users on SSO and some that are not.
  - Different SSO solutions cannot be mixed. For example, you can't use Google SSO and Okta simultaneously.
- Once SSO is activated and properly configured, [adding users to Gladly](https://help.gladly.com/docs/managing-users-and-roles) triggers a Gladly user invitation to those users.
  - Only upload new users to Gladly once SSO is activated.

**Activate SSO for Gladly**

## Activate SSO for Gladly

Complete the [Single-Sign-On Setup](/docs/single-sign-on-setup) first through your SSO provider before proceeding with the steps below.

1. Click ![](https://cdn.us.document360.io/7047b671-c4f2-4df0-bb0a-b9b511fd2452/Images/Documentation/hamburger-menu-icon(2).svg) on the top left corner of the screen.
2. Click **Settings**.
3. Under the **Security and Compliance**category, click **Single Sign-On**.
4. Configure the following options from the Single Sign-On page:
  - **Use SSO –** Inactive by default, click the toggle, so it's green to activate SSO.
5. Once SSO is activated, a few more options appear that you'll need to configure:
  - **Force users to reauthenticate –** Inactive by default, it allows users who log out of Gladly but still have an active SSO session (e.g., Okta, Azure, etc.) to automatically reauthenticate if they access Gladly again. If activated (toggle is green), users must re-authenticate if they log out (excluding closing the Gladly tab or going away) of Gladly.
6. Next, set up your identity provider details.

![Options for setting identity provider details with metadata fetching and pasting options.](https://cdn.us.document360.io/7047b671-c4f2-4df0-bb0a-b9b511fd2452/Images/Documentation/metadata-sso-Gladly-1024x511.png)

- **[A] Fetch metadata from URL (Upon Save) –** Found in your SSO provider's settings, paste the Metadata URL in this field, then click **Save.** Clicking **Save** fetches the metadata XML and pastes it in the **[B]** Metadata field.
- **[B] Paste Metadata –** This contains the metadata XML fetched from **[A]** upon clicking **Save**. For SSO providers like Google Workspace that don't support metadata URL lookup, you can paste the plain XML file in this field downloaded from the provider.

### Generate new metadata

Gladly automatically fetches metadata using the **Fetch metadata from URL** link upon clicking **Save.** If the metadata has changed due to an update (e.g., new SAML certificate), clicking **Save** automatically fetches the updated metadata.

### Reference metadata and ACS URL

Some identity providers like Google Workspace require you to provide the Gladly ACS URL and Entity ID/Meta URL to configure SSO. This information can be found in the bottom section of the Single Sign-On settings page.

![URLs for Gladly Metadata and ACS authentication are provided for user convenience.](https://cdn.us.document360.io/7047b671-c4f2-4df0-bb0a-b9b511fd2452/Images/Documentation/sso-metadata-and-acs-url-Gladly-1024x264.png)

**Allow JIT (Just-in-Time) User Provisioning**

## Allow JIT (Just-in-Time) User Provisioning

Automatically create Gladly user accounts once they are provisioned through your SSO provider. You must first [activate SSO](https://help.gladly.com/docs/activate-and-manage-single-sign-on#activate-sso-for-gladly) for Gladly before you can enable JIT user provisioning.

> [!WARNING]
> Okta and PingOne Support
> 
> JIT provisioning is currently only available through Okta and PingOne (Ping Identity).

1. Once SSO is activated and successfully configured, toggle the **Create new user on first login** so it’s green to expose the **Identity Provider Attribute Mappings** settings towards the bottom of the page.
2. Next, you’ll have the option to configure a default Gladly user role(s) and Inbox(es) based on their SAML attributes. ![Identity Provider Attribute Mappings for default roles and inboxes configuration.](https://cdn.us.document360.io/7047b671-c4f2-4df0-bb0a-b9b511fd2452/Images/Documentation/idp custom mapping.png)
3. Click**Default Roles [A]**to view a list of all Gladly [roles](https://help.gladly.com/docs/managing-users-and-roles#roles-and-responsibilities). By default, and without adding SAML attributes, users you create through your idP (Identity Provider) will automatically get provisioned in Gladly with the role(s) chosen here. Select the role(s) you want to assign by default.
  - **Assign role based on SAML Attribute –** To assign a specific Gladly role(s) to provisioned users based on their SAML attribute, click **+ Add Role Mapping**, then complete the following fields:
    - **SAML Attribute –**Enter the SAML Attribute name that. For example, `email`.

> [!NOTE]
> SAML Attribute groups
> 
> Creating a group attribute in your idP allows you to provision a specific group of users in bulk with specific roles. For example, setting up a `groupID` attribute that’s assigned to users destined to be Gladly Administrators and be assigned the Administrator role.
    - **SAML Attribute Value –**Based on the SAML Attribute, enter the value. For example, if the attribute is `email`, the value is the email address, e.g., `retale@gladly.com`.
    - **Roles –**Select the [role(s)](https://help.gladly.com/docs/managing-users-and-roles#roles-and-responsibilities) users mapped to the SAML Attribute will be assigned.
4. Click**Default Inboxes [B]** to view a list of all [Inboxes](https://help.gladly.com/docs/whats-an-inbox). By default, and without adding SAML attributes, users you create through your idP (Identity Provider) will automatically get provisioned in Gladly and assigned to the Inbox(es) chosen here. Select the Inbox(es) you want to assign by default.
  - **Assign role based on SAML Attribute –** To assign a specific Gladly role(s) to provisioned users based on their SAML attribute, click **+ Add Role Mapping**, then complete the following fields:
    - **SAML Attribute –**Enter the SAML Attribute name that. For example, `email`.

> [!NOTE]
> SAML Attribute groups
> 
> Creating a group attribute in your idP allows you to provision a specific group of users with specific roles. For example, setting up a `groupID` attribute that’s assigned to users destined to be Gladly Administrators and be assigned the Administrator role.
    - **SAML Attribute Value –**Based on the SAML Attribute, enter the value. For example, if the attribute is `email`, the value is the email address, e.g., `retale@gladly.com`.
    - **Inboxes –**Select the [Inbox(es)](https://help.gladly.com/docs/whats-an-inbox) users mapped to the SAML Attribute will be assigned to.
5. Click **Save**.

## Deactivate SSO

Deactivate SSO to stop requiring SSO access for Gladly.

> [!NOTE]
> SSO settings preserved
> 
> Gladly preserves your current configuration values upon deactivating SSO. You can reactivate SSO anytime without needing to re-enter your previous configuration values.

1. Click ![](https://cdn.us.document360.io/7047b671-c4f2-4df0-bb0a-b9b511fd2452/Images/Documentation/hamburger-menu-icon(2).svg) on the top left corner of the screen.
2. Click **Settings**.
3. Under the **Security and Compliance**category, click **Single Sign-On**.
4. Toggle the **Use SSO** option so it’s gray
5. Click **Save**.

Single Sign-On (SSO) allows users to access multiple applications and websites with one set of credentials. SSO uses a trust relationship between the IdP (Identity Provider and the SP (Service Provider). The IdP passes an assertion to the SP to authenticate the user, often using an identity standard like Security Assertion Markup Language (SAML) or OpenID Connect (OIDC).