# Configuring Single Sign-on

Only _Domain Admins_ with the _Admin: Domain Administration: SSO Settings: Read_ and _Admin: Domain Administration: SSO Settings: Edit_ permissions in their security profile can view and configure SSO settings for a domain. SSO enablement and configuration applies across all Vaults in a multi-Vault domain. Learn more about Vault's SSO options in  <a href="/en/gr/13975/">Single Sign-on Basics</a>.

To configure single-sign on, you must:

  1. Create an SSO profile, either <a href="/en/gr/43346/">SAML</a> or <a href="/en/gr/43329/">OAuth2.0 / OIDC</a>.
  2. Create an <a href="/en/gr/1985/#sso-security-policy">SSO security policy</a> with the **Single Sign-on** Authentication Type.
  3. Provision users to use SSO.

<div class="note-border alert-important">
  <div class="alert alert-important" role="alert">
    <div><i class="far fa-exclamation-circle"></i></div>
    <div class="alert-text">
      <p><strong>Important</strong>: As a precaution, before making changes to your Vault’s SSO configuration, we recommend you ensure that your Vault has a <em>Vault Owner</em> user with the <em>Domain Admin</em> user setting that uses a different security policy to the one you are changing.</p>
    </div>
  </div>
</div>



## Create an SSO Security Policy

To complete SSO configuration, you must apply a <a href="/en/gr/1985/#sso-security-policy">Single Sign-on security policy</a> that enables user accounts to use SSO. You can do this by creating a new security policy or changing the settings for an existing policy.

## Provision Users to Use SSO {#provision}

When provisioning new users, you can set them to use SSO by assigning them to an SSO security policy. If you are using a **User ID Type** of **Federated ID**, you must set the **Federated ID** value in the user profile.