# Single Sign On (SSO), SAML, SCIM

Single Sign-On (SSO) lets a user's identity be managed by a single, trusted identity provider that grants access to multiple service providers. It improves security and compliance posture and reduces the number of credentials each user has to manage.

ExaVault supports SP (Service Provider) initiated SSO flow and integrates with the most popular SSO providers.

## Steps to Perform on Entra

First, add the SmartFile (the former name for ExaVault) application from the Entra enterprise application gallery. Please refer to [Microsoft's SmartFile tutorial](https://learn.microsoft.com/en-us/entra/identity/saas-apps/smartfile-tutorial#add-smartfile-from-the-gallery) for more information on how to complete this step.

Once the ExaVault application has been added to your Entra Enterprise applications list, click the application and click *Assign Users and Groups* to select the Entra users that will be signing into ExaVault using Entra SSO.

Click *Setup single sign on* and choose *SAML*. In the *Basic SAML Configuration* section, provide the following values:

* **Identifier (Entity ID):** Your ExaVault site domain, without the `https://` prefix.
* **Reply URL (Assertion Consumer Service URL):** `https://<DOMAIN>/saml2/acs`
* **Sign on URL:** `https://<DOMAIN>/ftp/login`

In the section *SAML Certificates*, download the *Federation Metadata XML* file so that it may be uploaded to your ExaVault site.

## Steps to Perform on ExaVault

Sign into your ExaVault account as an administrator and go to *Admin Settings* by clicking the gear in the upper-right corner.

In the left pane, click *Settings > SSO*. Then click *Choose File* in the Metadata XML file and select the Federation Metadata XML file you downloaded from Entra. Click *Save* to complete the configuration.

For each user assigned to your SSO method, create or modify the user with their username and email address configured as the email used in Microsoft Entra and the sign on method set to *SSO*.

Your site's sign in page will now display a "Single Sign-On" button. Users will click on this button and be signed into ExaVault through Entra to their given account.

If a user gets a page saying that the account does not exist, ensure that the user's email is set as the ExaVault user's username and email.

## Configuring SCIM for User Provisioning

To setup SCIM automatic provisioning, follow the instructions in [Tutorial: Configure ExaVault for automatic user provisioning](https://learn.microsoft.com/en-us/entra/identity/saas-apps/smartfile-provisioning-tutorial).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.exavault.com/using-exavault/users/single-sign-on-sso-saml-scim.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.