# Setup Single-Sign-On (SSO)

Single Sign-On (SSO) enables your users to authenticate into **Bluebricks** using your organization’s identity provider (IdP). Follow the steps below to complete the configuration.

### Step 1: Configure a Bluebricks Application in Your Identity Provider

In your IdP (e.g., Okta, Azure AD, Google Workspace, OneLogin), create a new application integration for Bluebricks. When prompted, use the following endpoints:

**Redirect URI (Callback URL)**

```
https://auth.bluebricks.co/login/callback
```

**Logout URL**

```
https://auth.bluebricks.co/logout
```

{% hint style="warning" %}
These endpoints must be added exactly as provided to ensure proper OAuth/OIDC flow handling.
{% endhint %}

### Step 2: Provide Your Tenant Credentials to Bluebricks

After completing the application setup, retrieve the **Tenant ID** and **Client Secret** (or equivalent values depending on your IdP).

Share these credentials with the Bluebricks team via a secure channel (e.g., a [one-time secret-sharing service](https://onetimesecret.com/en/)).

#### Additional Assistance

If you need help with your configuration or encounter any issues, contact Bluebricks Support:\
**<support@bluebricks.co>**

## User Auto-Provisioning

When SSO is enabled, users who authenticate through your IdP for the first time are automatically created in Bluebricks; no manual invite is required.

* **Default role**: New auto-provisioned users are assigned the **Deployer** role.
* Admins can change a user's role at any time via [Account Settings > Users](https://app.bluebricks.co/settings?tab=members).

{% hint style="success" %}
SSO auto-provisioning is the recommended approach for onboarding users at scale. It removes the need to invite each user individually and ensures everyone authenticates through your IdP.
{% endhint %}