# Set up Single-Sign On (SSO) ### What you'll need * In Bird, a user with either the Organization Owner or Owner role. * Access to setup an application/integration in your Identity Provider. * Access to your domain's DNS records for domain verification. {% hint style="info" %} **DNS records** You'll need access to the DNS record for every domain that you and your team use to login to Bird. For example: * If you login to Bird with an email address such as `user@mydomain.com` then you will need to edit the TXT record for `mydomain.com`. * If you also have users login via then you will also need to edit the TXT record for myotherdomain.com. {% endhint %} ### Step one: Configure OpenID When setting up an OpenID integration with your identity provider, start by creating the setup on the identity provider side. The main configuration item that will be needed is the redirect sign-in URL which is [`https://api.bird.com/auth/oidc/callback`](https://api.bird.com/auth/oidc/callback). {% hint style="warning" %} Once the setup is complete, make sure to take a copy of the OpenID Client ID and Client Secret as these will be needed to complete the BirdCRM side of the setup. {% endhint %} ### Step two: Configure Bird CRM 1. Navigate to the [Settings](https://app.staging.bird.one/settings/security/access-settings) page by clicking on your current Workspace name in the bottom left, then selecting **Access Management** under the **Organization** tab.

2. Click **Set Up SSO**, then select **OpenID**.

3. Fill out a name for the SSO setup and fill out your identity provider URL as the Issue URL. This URL will depend on which identity provider you use. As an example, in Okta the format is normally `companyname.okta.com`. 4. Fill out the Client ID and Client Secret that you generated and saved while setting up the integration in your identity provider. 5. In Other Scopes, fill out email and then select ‘New scope: email’ to add it, as shown in the screenshot below.

6. The setup should look something like this:

7. Click **Confirm** and your SSO configuration will be saved. 8. Now you need to set up the identity provider initiated login. From the Access Management page, click on the 3 dots menu on the right of the identity provider you have configured, then click **View**.

9. You can see the Initiate Login URL at the bottom. Copy and paste this into the appropriate field in your Identity Provider configuration.

### Step three: Domain validation In order to restrict logins to only domains that you control, each unique domain you and your users login from will need to be validated. This is done via adding a TXT DNS record to the domain(s). 1. First click on the Domain Validation button available when viewing your SSO integration.

1. Enter your company domain name that you login with (e.g. companyname.com) and click Create.

1. You will then be presented with a unique string under the Challenge column that needs to be placed as a TXT record in your domain. If you are unsure how to add a TXT record please consult with your DNS provider. 2. Once you have added the TXT record to verify your domain, you can select Verify 3. If the TXT record was added correctly it will then show the Status of Verified. {% hint style="success" %} You can now sign in with SSO! {% endhint %}


Next: Enforce Single-Sign On (SSO) →			enforce-single-sign-on-sso