# Enable SAML Single Sign-On
Account administrators can enable [SAML single sign-on (SSO)](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) for account users to access your brand's impact.com account through a supported identity provider (IDP), or via a unique sign-in link. Choose a method you prefer.
SAML SSO uses a connection for impact.com with your identity provider. impact.com currently supports the following providers:
* AD FS
* Okta
* OneLogin
* Microsoft Entra ID
#### Enable SAML SSO
{% hint style="warning" %}
**Warning:** If you already have SAML SSO enabled and want to switch providers, you'll need help from our Technical Services team. Before you [log a ticket](https://impact.atlassian.net/servicedesk/customer/portal/6/group/1088), make sure to save your existing IDP metadata file to your local device and prepare a list of usernames that need to be migrated.
{% endhint %}
{% stepper %}
{% step %}
#### **Step 1: Upload IDP metadata file**
Before starting, make sure you have your **IDP metadata file** in .XML format handy — this file needs to be uploaded to impact.com.
1. From the top navigation bar, select  **\[User profile] → Settings**.
2. In the left column, under *General,* select **Account User Authentication**.
3. Next to the *Authentication type* line item, select  **\[Check box] SAML** and use the  **\[Drop-down menu]** to select your identity provider.
4. Use the file picker to find and **upload your .XML metadata file**.
5. At the bottom of the screen, select **Save**.
{% endstep %}
{% step %}
#### **Step 2: Enable SAML SSO for account users**
The following instructions need to be completed for each individual user that will use SAML SSO:
1. From the top navigation bar, select  **\[User profile] → Settings**.
2. In the left column, go to *General* and select **Account Users**.
3. Hover your cursor over a user and select **\[More] → Edit Access Rights**
4. In the *User Signup Method* section, select **SAML**.
5. At the bottom of the slide-out, select **Save**.
{% endstep %}
{% step %}
#### **Step 3: Configure user sign in via SAML SSO**
There are 2 ways for users to access impact.com with SAML SSO:
* **Through your identity provider (IDP)** — Configure a connection/connector in your IDP and use it to sign users in.
* **Through your brand’s unique login link** — For users who do not sign in via the IDP connection.
**Option A: Identity provider sign-in**
* **OneLogin** — In OneLogin, find the *Impact Partnership Cloud* connection in the *OneLogin App Catalog* and follow the on-screen instructions to enable and configure the app.
* **ADFS, Okta, & Microsoft Entra ID** — Create a new custom connection with these exact values:
| Field | Value to input |
| ---------------------------------------- | --------------------------------- |
| Single Sign On URL / Reply URL / ACS URL | |
| Recipient URL | |
| Destination URL | |
| Audience Restriction | |
| Name ID Format | EmailAddress |
| Response | Signed |
| Assertion Signature | Signed |
| Signature Algorithm | RSA\_SHA1 |
| Digest Signature | SHA1 |
| Assertion Encryption | Unencrypted |
| SAML Single Logout | Disabled |
| AuthnContextClassRef | PasswordProtectedTransport |
* **Microsoft Entra ID** — Create a new custom connection with these exact values:
| Field | Value to input |
| --------------------------------------------------------------------- | --------------------------------- |
| Reply URL (Assertion Consumer Service URL) | |
| Reply URL (implicitly) | |
| Identifier (Entity ID) | |
| Name identifier format (Advanced Settings → “Name identifier format”) | EmailAddress |
| Response Signing Option (Sign SAML response) | Signed |
| Sign SAML Assertion (option) | Signed |
| Signing Algorithm | RSA\_SHA1 |
| Digest Algorithm | SHA1 |
| Encryption Certificate (optional) | Unencrypted |
| Single Logout URL | Disabled |
| Default AuthnContextClassRef (not exposed directly) | PasswordProtectedTransport |
The values you enter must match exactly with the values provided above. For example, do not add a trailing slash to the *Single Sign On URL / Reply URL / ACS URL* field like this: `https://app.impact.com/saml/SSO`**`/`**, and do not enter multiple URL values. Please also ensure the user’s email address in your IDP matches exactly with the email address for the user in impact.com.
**Option B: Branded link sign-in**
If a user is not signing in via your IDP, they can use a unique branded login link to access your impact.com account. To get this login link:
1. From the top navigation bar, select  **\[User profile] → Settings**.
2. In the left column, under *Branding*, select **Advertiser Login Branding**.
* Your branded link will look similar to this: `https://app.impact.com/abe/Stark-Industries12345678912345/login.user?preview=t`
3. From the *Login Link* field, copy & save the *Login Link* to distribute to your impact.com account members.
{% hint style="warning" %}
**Important:** The only thing this branded login link is used for is letting users sign in directly to impact.com when they’re not using your IDP. Do not enter this link in your IDP’s *Single Sign-On URL / Reply URL / ACS URL* field.
{% endhint %}
{% endstep %}
{% endstepper %}
