> For the complete documentation index, see [llms.txt](https://help.dscout.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.dscout.com/account-management/user-management-and-security/set-up-saml-sso.md).

# Set up SAML SSO

{% hint style="info" %}
**Note:** SAML SSO is only available on **Core**, **Plus**, **Select**, and **Enterprise** plans.
{% endhint %}

{% hint style="success" %}
You’ll need Admin or Account Owner access to your Dscout account to set up SSO. If possible, we also recommend partnering with your organization’s IT team as they will be most familiar with your organization’s security details and systems.
{% endhint %}

Single sign-on (**SSO**) is a faster, easier, and more secure way for users to log in to the Dscout platform. SSO works by establishing a connection between a service provider (**SP**)—in this case, Dscout—and an identity provider (**IdP**) like Okta, OneLogin, or Google. Once configured, Dscout can rely on your IdP to authenticate users rather than requiring users to enter a standard set of credentials like an email and password.

SSO in Dscout - Video generated with Synthesia

If you have any issues or feedback, our support team is always happy to help at <support@dscout.com>.

**Dscout supports the following methods of SSO:**

* SAML 2.0 (both SP-initiated and IdP-initiated).
* [Google Sign-In](/account-management/user-management-and-security/set-up-google-sign-in-sso.md) (Google OAuth).
* [Okta](/account-management/user-management-and-security/sso-okta-integration.md).

This article walks you through enabling **SSO in Dscout using SAML 2.0**. If you want to enable another method of SSO, use the links above to view their specific instructions.

### Enable SAML SSO

Setting up SAML SSO requires configuration in both your IdP and Dscout. The following process will have you start by entering details about Dscout into your IdP. Then, you’ll do the same in reverse, entering details about your IdP into Dscout. Finally, you’ll test the configuration and turn it on for your Dscout users.

#### Configure your IdP

Common IdPs your organization might be using include OneLogin and ADFS, but there are plenty of other possibilities too. On top of that, every IdP is different when it comes to configuration. (Remember, it’s not too late to loop in your organization’s IT expert!) With that said, here are the specific items you must configure in your IdP before you can enable SSO in Dscout:

* **Dscout entity ID:** `https://dscoutapp.com/auth/saml`
* **ACS URL:** `https://auth.dscout.com/sso/sp/consume/<account_id>`
* **Binding type:** `POST`
* **Default relay state (for IdP-initiated SSO only):** `https://app.dscout.com/efflux/home/<account_id>`
* **Mapping attribute:** Either add your attribute name or confirm you have a mapping attribute with the name `email` that maps to the user’s email address.

{% hint style="info" %}
For both the ACS URL and the default relay state, be sure to replace with your actual account ID. You can find this in the URL of any page within Dscout. For example, in the URL *app.dscout.com/**account**/home*, **account** is the account ID.
{% endhint %}

You’ll know configuration is complete when your IdP provides you with an XML metadata file. You’ll need this metadata in the next section, so save it in place where you can easily access it. Once you’ve done that, proceed to the next section.

#### Configure SSO in Dscout

Now that you’ve configured your IdP and have your metadata file, you’ll configure SSO in Dscout. In this section, you’ll set up SSO in Test mode so you can ensure it’s working properly. Later, you’ll test your configuration and enable it.

**To configure SSO in Dscout:**

{% stepper %}
{% step %}
In the sidebar navigation, click your Dscout account name. A drop-down opens displaying the accounts you belong to.
{% endstep %}

{% step %}
Click the **Settings** icon beside the account where you want to enable SSO. The **Account management** page is displayed.

![](/files/35821ce0b85794ff044e8d8ff1c873d34ceb660f)
{% endstep %}

{% step %}
Select the **Settings** tab.
{% endstep %}

{% step %}
Select **SSO** in the sidebar.
{% endstep %}

{% step %}
Click **Edit.**

![](/files/e11ab9511b20e393f27713c82740a01146e8c173)
{% endstep %}

{% step %}
Select **SAML** from the **Authentication type** drop-down.
{% endstep %}

{% step %}
Select **Test mode** from the **Status** drop-down.

![](/files/ec7c57a0b4540ff679214fb35655a3bdabdd1086)
{% endstep %}

{% step %}
Under **SSO enforcement** select which users to require SSO to log in. You have the following options:

* **Only require users with specified email domain to use SSO.** (Recommended if your Dscout account is accessed by users outside of your organization. For example, contractors or consultants.)
* **Force everyone regardless of email domain to use SSO.** (Recommended if your Dscout account is only accessed by users inside of your organization.)
  {% endstep %}

{% step %}
(If applicable) Enter the **SSO domain** you want to require SSO when logging in. For example, **domain.com**.

![](/files/4729cbfa7c8b1e08e43f1878e72658cbfa1b22f1)
{% endstep %}

{% step %}
Enter **email** in the **Mapping attribute** field. This is the piece of data Dscout looks for in your IdP to associate a user with their Dscout account. The attribute must match the mapping attribute as set up in your IdP in the previous section.
{% endstep %}

{% step %}
Copy and paste the metadata from your IdP into the **Metadata (XML)** text box.
{% endstep %}

{% step %}
Click **Save.**
{% endstep %}
{% endstepper %}

Now, your SSO configuration has been saved in Test mode. The means that users can still sign in using their standard email and password, but they also have the option of using SSO. Next, you’ll test your configuration to ensure it’s working properly, then enforce it.

#### Test your SSO configuration

With SSO in Test mode, have one of your Dscout users attempt to log in using SSO. This user should be someone with your company’s domain to ensure the test is accurate. If the user runs into any issues, revisit the steps for configuring both your IdP and Dscout to ensure all settings are correct. Once the user is able to log in using SSO without any problems, proceed to the next section.

#### Enable SSO in Dscout

Once you’ve tested your SSO configuration and have verified it’s working as expected, the next step is to enable it for all users. Once SSO is enabled, it will be enforced for either all users or all users with your company domain (depending on your **SSO enforcement** selection).

**To enable SSO in Dscout:**

{% stepper %}
{% step %}
On the **SSO** settings page, click **Edit** beside your SSO configuration.
{% endstep %}

{% step %}
Select **Enabled** from the **Status** drop-down.

![](/files/f11841ddeedcd8eb9d365bef1368944a973ca877)
{% endstep %}

{% step %}
Click **Save**.
{% endstep %}
{% endstepper %}

Now, you’re brought back to the **SSO** settings page where you’ll see that SSO is set to **Enabled**. Users currently logged in to Dscout will not be logged out, but users will be prompted to use SSO the next time they log in to the platform.

### Disable SAML SSO

If you no longer wish to use SSO on your Dscout account, you can disable it from the SSO page of your account settings.

**To disable SSO:**

{% stepper %}
{% step %}
In the sidebar navigation, click your Dscout account name. A drop-down opens displaying the accounts you belong to.
{% endstep %}

{% step %}
Click the **Settings** icon beside the account where you want to disable SSO. The **Account management** page is displayed.
{% endstep %}

{% step %}
Select the **Settings** tab.
{% endstep %}

{% step %}
Select **SSO** in the sidebar. The **SSO** page appears showing your current SSO configuration.
{% endstep %}

{% step %}
Click **Edit**.
{% endstep %}

{% step %}
Select **Disabled** from the **Status** drop-down.

![](/files/3bd01f720a747b83ab6cbb1379ab60d5ccb16e5a)
{% endstep %}

{% step %}
Click **Save**.
{% endstep %}
{% endstepper %}

Now, SSO is disabled for your Dscout account. Users currently logged in will not be logged out, however they will be prompted to use their standard email and password credentials the next time they log in to the platform. If you want to turn SSO back on, simply set the **Status** to **Enabled** again, but be sure your IdP details are still the same. If your IdP details have changed, complete the configuration like new.

### Troubleshooting SAML SSO

If you encounter any errors while setting up SAML SSO, use the following troubleshooting tips to resolve them.

<details>

<summary>Why do users have to go to the non-SSO screen and click on the “Sign in with SSO” link?</summary>

Please bookmark *<https://app.dscout.com/auth/sign\\_in/sso>* instead of *<https://app.dscout.com/sign\\_in>*. It will users directly to the SSO page.

</details>

<details>

<summary>Users belonging to multiple Dscout accounts</summary>

It’s possible for a single user to belong to multiple Dscout accounts. However, a single user account can only be associated with one Dscout account where SAML SSO is enabled. You have two options to resolve this issue:

* Work with the listed user(s) to identify any of your organization’s Dscout projects they need to maintain access to. Then, have the user create a new account using a different email address that you can grant access to your Dscout account as well as the necessary projects. (In the case of contractors, third-party consultants, or similar, consider providing them with an email address with your domain.) Finally, delete the user’s old account from your Dscout account. Once all conflicts have been resolved, you will no longer see this error and can proceed with enabling SSO.
* If the listed user(s) would rather keep their current account associated with your Dscout account, or if they don’t know which other Dscout account they might be associated with, have them reach out to <support@dscout.com>. Our support team will then help remove their access from any accounts causing the conflicts. Once all conflicts have been resolved, you will no longer see this error and can proceed with enabling SSO.

{% hint style="info" %}
Dscout will allow you to turn SAML SSO on in Test mode if it is also set to Test mode in the Dscout accounts where you have conflicting users. Follow the guidance in your specific error message to proceed, but be aware this could cause conflicts for other Dscout administrators if they attempt to change the status of their SSO configuration.
{% endhint %}

{% hint style="info" %}
User with a new SSO account does not see any missions, projects, etc

This is likely caused by a difference in email on the SSO and non-SSO accounts. For example, the non-SSO account could be for *<j.doe@acme.com>* and that account will have all the missions. But that email could be an alias and the canonical address is *<jane.doe@acme.com>*. That is the email that would be “used” by the SSO.

To fix this, please change the email on the non-SSO account to the canonical email address. The customer can change the email associated with the customer's non-SSO Dscout login to the canonical email in their IdP.
{% endhint %}

</details>

<details>

<summary>SAML artifact resolution requests issued by the SP signed with RSA/SHA2</summary>

If you are looking for SAML artifact resolution requests issued by the SP to be signed using an RSA/SHA2 algorithm, Dscout does not support this. We do not support request signing, which is optional under SAML spec, because we already use TLS/SSL.

</details>

<details>

<summary>IdP signature not present on the assertion</summary>

During an SSO flow, the IdP will relay a signature to Dscout's ACS URL in one of two ways: attached to the response or attached to the assertion. **Dscout requires the IdP's signature be attached to the assertion.** Most IdPs are configured this way by default, but some (PingFederate, for example) are not. If you run into issues with SSO, verify that your IdP is configured in this way, then try again.

</details>

<details>

<summary>OneLogin IdP details</summary>

Please set the Audience value to match the Entity ID.

</details>

<details>

<summary>"Unsupported NameIDFormat" or "access\_denied {:saml\_error..." error</summary>

Dscout's implementation of SAML 2.0 does not support multiple *NameIDFormat* elements in the *metadata.xml*. The official SAML spec does allow for this but this is not something Dscout's SSO implementation supports at the moment.

The fix is simple - please remove all but one *NameIDFormat* element. The remaining one should be the unspecified value. Eg, *urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified*.

</details>

<details>

<summary>"access\_denied {:saml\_error..." error</summary>

Another potential reason for this error is that the user has not been added to the Dscout account. Please make sure the user email, as it appears in your IdP, has been added to Dscout first.

</details>

<details>

<summary>"access\_denied {:saml\_error, ..., "Signature required" error</summary>

You are are likely missing `saml:AttributeStatement` for the email mapping.

</details>

<details>

<summary>"access denied: bad\_audience" error while attempting to log in</summary>

Please ensure that the Entity ID configured in your IdP is correct. It should be *<https://dscoutapp.com/auth/saml>* . Note that it is different from our domain name.

</details>

<details>

<summary>"unknown IdP" error while attempting to log in</summary>

This typically means that you have configured the ACS URL incorrectly. Our documentation lists the ACS URL as *<https://auth.dscout.com/sso/sp/consume/>* , please make sure to replace with your Dscout account ID in your configuration.

</details>

<details>

<summary>"bad\_digest" error while attempting to log in</summary>

This error usually indicates that something went wrong with the SAML assertion signature. Please confirm that your IdP is set up to sign the assertion being sent to Dscout.

</details>

<details>

<summary>"bad\_match" error while attempting to log in</summary>

Your SAML assertion in the response from your IdP does not contain the *KeyInfo* and *X509Certificate* elements. Dscout requires this information to validate against your account’s configuration on our end. Please update your configuration to include that information.

</details>

<details>

<summary>"Found an unexpected number of Signature Element" error</summary>

This error is usually due to setting up a Redirect instead of POST binding. Please ensure you have configured POST in your IdP.

</details>

<details>

<summary>invalid\_cert error</summary>

The certificate included in your SAML response is not the same as the certificate you configured in metadata.xml within Dscout. Please ensure the certificates are the same.

</details>

<details>

<summary>access\_denied :invalid\_target\_url</summary>

You have a misconfigured ACS URL for the IdP initiated sign in.

</details>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://help.dscout.com/account-management/user-management-and-security/set-up-saml-sso.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
