# Single Sign On (SSO) Setup

Please confirm that your IdP setup will integrate with Freshpaint using the SAML protocol.

{% hint style="info" %}
Freshpaint supports SP-initiated SSO only. This means:

* Users must start the login process from Freshpaint's login page (<https://app.freshpaint.io/login/sso/\\[your-slug>])
* Direct login from your IdP portal (IdP-initiated SSO) is not supported
* We recommend configuring your IdP portal tiles/links to redirect to the Freshpaint login URL
  {% endhint %}

We will need the Entity ID (also known as Issuer), SSO URL, and X.509 Certificate from your IdP in order to complete the SSO setup on our end. Here are the instructions for how to set up your IdP to get this information:

* create a new app in your IdP and give it a name (e.g. “Freshpaint”)
* for the SSO URL, paste <https://auth.freshpaint.io/\\_\\_/auth/handler>
* for Audience URI, paste freshpaint.io
* set Name ID format and Application User Name to “Email”
* add an attribute statement with name “email” and value “user.email”
* please provide us with the IdP SSO URL, IDP Issuer, and X.509 Certificate

Once we have those items, we’ll continue the setup on our end and let you know when the SAML connection is ready to be tested. The login URL will be <https://app.freshpaint.io/login/sso/\\[your-slug>]

Note: after a user is assigned to the app within your IdP and invited from within Freshpaint, the user will need to log in directly to Freshpaint via your IdP, then accept the email invite while they’re still logged in. If the user attempts to accept the invite without logging in first, they’ll get redirected to the generic login page (i.e. without the option to log in via your IdP).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.freshpaint.io/reference/faqs/single-sign-on-sso-setup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.