---
title: Setting up single sign-on (SSO)
summary: null
url: >-
  https://www.fastly.com/documentation/guides/account-info/user-and-account-management/setting-up-single-sign-on-sso
---

This guide explains how to set up and enable single sign-on (SSO) when using an identity provider (IdP) for authentication.

SSO allows users to access multiple applications with a single set of credentials. An IdP manages authentication requests, enforces security policies, and reduces the need for separate passwords across different systems. By centralizing identity management, you can simplify access control and ensure consistent authentication policies across your organization.

By integrating SSO, you can automate authentication workflows, allowing users from different systems to log in with their existing credentials. You can also enforce security measures such as [multi-factor authentication](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/managing-two-factor-authentication/) (MFA) and [role-based access controls](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/about-user-roles-and-permissions) to protect sensitive information. Once configured, SSO provides a seamless login experience while maintaining strong security across all connected applications.

SSO is also a key step toward automating user management. While it streamlines authentication, protocols like System for Cross-domain Identity Management (SCIM) handle user provisioning, updates, and deactivation. If you plan to [automate account lifecycle management with SCIM](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/automating-user-management/), enabling SSO is a necessary first step.

> **HINT:** You can set up SSO for Signal Sciences accounts too. Check out [our enablement guide](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/setting-up-single-sign-on-sso) for details.

## Prerequisites

To enable SSO or require that it be applied to all of your organization’s users when they log in to the Fastly control panel, you must:

- be assigned the role of [superuser](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/about-user-roles-and-permissions) for your Fastly account
- have access to your IdP’s administration console

In addition, your IdP must support:

- Security Assertion Markup Language 2.0 (SAML 2.0)
- Service Provider (SP) or IdP-initiated SSO for [login purposes](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/logging-in-and-using-fastly#before-you-begin)

You should also review this feature's [limitations](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/setting-up-single-sign-on-sso#limitations-and-considerations) before enabling SSO.

## Enabling SSO

Start by selecting an IdP and configuring that provider’s settings keeping in mind the prerequisites.

> **HINT:** Save time by leaving both your Fastly control panel and your Okta windows open while you're enabling SSO. You'll be copying information back and forth between them while you set things up.

### Okta

Start by selecting Okta as the IdP in the Fastly control panel:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Account** > [**Single sign-on**](https://manage.fastly.com/account/sso).
3. From the **Identity provider** menu, select **Okta**.

Next, set up the Okta SSO settings:

1. Log in to the Okta app.
2. Go to **Applications** > **Applications** and select the Fastly app you're the administrator for.
3. Click **Sign On** from the application tabs.
4. From the **SAML 2.0** area, copy the **Metadata URL**.

Then, save the metadata file:

1. In the address field of a new browser window, paste the **Metadata URL** you just copied to display the IdP metadata.
2. Right click in your browser window and select **Save As** from the menu that appears to save this metadata file to a location locally. You'll need this file to complete the setup in the Fastly control panel.

Next, go back to the Fastly control panel window and upload the metadata file to Fastly:

1. Click **Upload XML IdP metadata file** to upload the metadata file you just saved.
2. From the **SSO token** field, copy the SSO token.

Go back to the Okta window to edit your remaining Okta settings:

1. On the **Sign On** tab in the **Settings** area, click **Edit**.
2. In the **SAML 2.0** area, deselect **Disable Force Authentication**.
3. In the **SSO token** field of the **Advanced Sign-on Settings** area, paste the authentication token you just copied from the Fastly control panel.
4. From the **Application username format** menu in the **Credentials Area**, select **Email**.
5. Click **Save**.

Then return to the Fastly control panel and click **Save and enable SSO** to complete the setup.

### Other IdPs

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Account** > [**Single sign-on**](https://manage.fastly.com/account/sso).

3. Click **Add SAML Configuration**.

4. From the **Identity provider** menu, select your organization's IdP.

   ![the sections of the SSO page that allow you to select your identify provider and configure your IdP](/img/sso-setup.png)

5. Using the configuration details that appear in the Fastly control panel, create a new SAML 2.0 application in your IdP's administration console and assign the application to new and existing users. Refer to your IdP's documentation for more information.

6. After creating the SAML 2.0 application in your IdP, download the XML metadata file with your application’s SAML configuration. The XML file includes a public certificate used to verify the signature of SAML assertions.

7. Upload your IdP metadata file. You can do this by dragging and dropping the file into the area provided or by browsing for the file and uploading it.

   ![the IdP metadata box](/img/sso-metadata-box.png)

8. Click **Save and Enable SSO**.

9. In the confirmation window, click **Save and Enable SSO**. Your metadata will be saved and the SSO controls will indicate that SSO is enabled.

> **IMPORTANT:** If you have SSO configured but don't currently enforce it, users will need to click **Try another way** on the login screen to sign in via username (email) and password.

## Requiring SSO for your organization

To require SSO for everyone in your organization except superusers, follow these instructions.

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Account** > [**Single sign-on**](https://manage.fastly.com/account/sso).

   ![the "Single sign-on" control and the "enforce SSO" control on the single sign-on page in the account settings](/img/sso-enabled-force-sso.png)

3. Select the **Immediately enforce SSO** checkbox that appears below the SAML configuration switch.

4. In the confirmation window, click **Start enforcing SSO**. Currently open non-SSO sessions for users assigned the role of user, billing, or engineer will be logged out and they will need to re-authenticate using SSO via your IdP.

> **HINT:** Users who have been assigned the [role of superuser](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/about-user-roles-and-permissions) can always log in with their email address and password, whether or not **Single sign-on** is enabled.

## Performing account tasks differently with SSO enabled

If your organization has enabled SSO, you may notice different feature availability in the Fastly control panel. This section describes the differences.

- **Changing your email address and password.** Because SSO requires user email addresses in Fastly to match those in the IdP, you won't be able to [change your email address](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/changing-names-and-email-addresses#changing-your-name) while logged in using SSO. You also won't be able to [modify your password](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/changing-and-resetting-passwords) or [enable two-factor authentication](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/managing-two-factor-authentication).
- **Creating an API token.** To create an [API token](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/using-api-tokens) while logged in to the Fastly control panel using SSO, you'll need to reauthenticate with your IdP. Follow the instructions for creating an API token and click the **Re-Authenticate** button on the Create a Token page.
- **Setting a default account.** When you have multiple accounts  configured to use SSO, you can't _manually_ set a [default account](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/managing-multiple-accounts/#setting-a-default-account). Instead, the default account will be automatically set to the first account to which you've been invited.
- **Managing sessions.** Sessions created by logging in to the Fastly control panel using SSO or with a username and password can remain active for up to 12 hours. If you close your browser, your session will automatically expire after 30 minutes.

## Changing SSO providers

To change SSO providers, follow these instructions.

> **WARNING:** Disabling the SSO feature for your organization will expire all active SSO sessions, including your own. Users will automatically be logged out of the Fastly control panel.

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Account** > [**Single sign-on**](https://manage.fastly.com/account/sso).
3. From the **Options** menu, select **Upload new SAML configuration**.
4. In the confirmation window, click **Continue** to delete your existing SAML confirmation.
5. Follow the instructions in the [enabling SSO](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/setting-up-single-sign-on-sso#enabling-sso) section.

## Updating SAML certificates without changing SSO providers

When your SAML certificate is expiring or needs to be updated, you can replace it by uploading a new SAML configuration to replace your old one, all without changing your SSO provider.

1. Log in to the Fastly control panel.
2. Go to **Account** > [**Single sign-on**](https://manage.fastly.com/account/sso).
3. From the **Options** menu, select **Upload new SAML configuration**.
4. In the confirmation window, click **Continue** to delete your existing SAML confirmation.

## Disabling SSO

To disable SSO for your organization, either permanently or temporarily (e.g., your SSO provider is experiencing an outage), follow these instructions. Disabling SSO won't delete your SSO settings and you can re-enable SSO at any point using the same IdP configuration metadata you uploaded when you first enabled SSO.

> **WARNING:** Disabling the SSO feature for your organization, even temporarily, will expire all active SSO sessions, including your own, and will automatically log users out of the Fastly control panel.

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Account** > [**Single sign-on**](https://manage.fastly.com/account/sso).

   ![the "Single sign-on" control and the "enforce SSO" control on the single sign-on page in the account settings](/img/sso-enabled-force-sso.png)

3. Click the **Single sign-on** switch to disable SSO for your organization.

4. In the confirmation window, click **Disable SSO**. SSO will be disabled and will not be required for your organization's users. All active SSO sessions will expire, including your own, and users will automatically be logged out of the Fastly control panel.

## Bypassing single sign-on for selected users

If your organization has single sign-on enabled for everyone, any superuser can enable another superuser to bypass SSO for their account. This allows them to log in to the Fastly control panel via their username and password, without needing to authenticate through your SSO provider. To do this, be sure to select **Bypass SSO** when [adding them](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/managing-users) to your account or [editing](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/about-user-roles-and-permissions#changing-user-roles-and-access-permissions-for-existing-users) their roles and access permissions.

## Limitations and considerations

The [SHA-1](https://en.wikipedia.org/wiki/SHA-1) cryptographic algorithm [has been retired](https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm) by the National Institute of Standards and Technology (NIST) and they recommend upgrading to more advanced and secure replacements such as those from the [SHA-2 family of hash functions](https://en.wikipedia.org/wiki/SHA-2), like SHA-256. Consider using or upgrading to these more advanced algorithms for SAML certificate signing for SSO setup in advance of the NIST recommended phase out deadline.

## Related content

- [Customer API documentation](https://www.fastly.com/documentation/reference/api/account/customer/)