# SSO and SAML

Seal supports SAML single sign-on through an embedded authentication portal. Tenant Admins configure their identity provider (IdP) by opening the portal from Seal's Settings; the actual SAML metadata exchange happens there.

## Opening the configuration screen

1. Sign in to Seal as a user with the **Admin** role.
2. In **Settings**, open the **Admin portal** page. The page explains that Seal uses the Frontegg platform for authentication and provides an **Admin portal** button.
3. Click the **Admin portal** button. A pop-up window opens to the Frontegg configuration screen, where you set up SAML, multi-factor authentication, and other authentication features for your tenant.

## Configuring SAML

Inside the configuration screen, set up your IdP using the standard SAML steps:

* Provide the IdP metadata URL or upload an XML metadata file.
* Map SAML attributes (email, display name, and any role attribute you want Seal to consume).
* Set the application's ACS URL and entity ID in your IdP, using the values shown in the screen.

Field-level help and per-IdP guidance live inside the configuration screen rather than in these docs.

## Auto-provisioning

Once SAML is configured for your tenant, any user at your organization can sign in directly through your IdP. The first time a user signs in, Seal auto-provisions an account in your tenant. They do not need a separate email invite.

The role auto-provisioned users receive depends on your IdP attribute mapping. Configure attribute mappings in the authentication portal to assign roles automatically; otherwise, an Admin will need to update each new user's role from **Settings > Roles and Permissions** after their first sign-in.

{% hint style="warning" %}
**VERIFY: password fallback when SAML is configured.** When a tenant has SAML enabled, password-based sign-in for that tenant's users may still work as a fallback or may be disabled entirely. Confirm the policy with Seal before publishing this page; the answer determines whether your organization needs to enforce SAML-only at the IdP side or whether password sign-in remains available.
{% endhint %}

## Related

* [Inviting and managing users](/new-documentation/new-docs/users-and-sso/inviting-users.md): when SAML is not configured, this is how you add users.
* [User roles](/new-documentation/new-docs/users-and-sso/user-roles.md): what each role can do, including roles assigned through SAML attribute mapping.
* [Sign up and sign in](/new-documentation/new-docs/sign-up-and-sign-in.md): the user-side sign-in experience, including SSO.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sealsecurity.io/new-documentation/new-docs/users-and-sso/sso-and-saml.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.