# Enterprise Security and SSO For organizations on the Enterprise plan, Shade supports integrating your workspace with an identity provider. Once configured, team members with your verified domain are automatically redirected to your identity provider to sign in, and you can use SCIM to sync groups and their members directly into Shade. **How It Works** SSO and SCIM setup begins with verifying your domain inside Shade. After verification, you can configure Single Sign-On (SSO) using SAML 2.0 with a wide range of identity providers. Once SSO is active, any user added to your Shade workspace with your verified domain will be redirected to your identity provider when they attempt to log in, authenticating there rather than directly in Shade. SCIM (System for Cross-domain Identity Management) extends this further by allowing you to provision groups from your identity provider into Shade. When a group is provisioned via SCIM, its members are automatically added to your Shade workspace as Contributors. These synced groups appear in Shade's Groups section with the type labeled as "Directory," distinguishing them from groups created manually inside Shade. **Setting Up SSO** To configure SSO for your workspace: 1. Navigate to your workspace Settings and open Enterprise section 2. Under “Domain Verification” click “Add domain” and follow the provided steps to verify your organization’s domain. 3. Once confirmed, select “Set up SSO” within Shade. 4. Select your identity provider from the list of supported SAML providers and follow the configuration steps to complete the connection. Once SSO is active, users with your verified domain will be redirected to your identity provider at login. **Setting Up SCIM** SCIM provisioning allows you to manage workspace membership directly from your identity provider. To enable it, select “Set up SCIM” within the Enterprise section of your workspace, and follow the provided steps to link with your provider. Once SCIM is configured: * Members inside provisioned groups are added to your Shade workspace automatically as **Contributors**. * Provisioned groups appear in the **Groups** section in Shade with the type **Directory**. **Using Directory Groups** Directory groups can be assigned permissions at the workspace or drive level, just like manually created groups. Adding a directory group to a workspace or drive grants all members within that group the corresponding level of access. To assign a directory group, navigate to the Members or Permissions panel at the workspace or drive level and add the group as you would any other. **Things to Keep in Mind** * SSO and SCIM are available on the **Enterprise plan only**. * Domain verification is required before SSO can be configured. * Members provisioned via SCIM are added as **Contributors** by default. Permissions can be adjusted after provisioning. * Directory groups are managed through your identity provider. Changes to group membership in your provider will sync to Shade automatically. * Directory groups are read-only within Shade. To add or remove members, make changes in your identity provider. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://academy.shade.inc/enterprise/enterprise-security-and-sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.