# Configuring Single Sign-on

Only _Domain Admins_ with the _Admin: Domain Administration: SSO Settings: Read_ and _Admin: Domain Administration: SSO Settings: Edit_ permissions in their security profile can view and configure SSO settings for a domain. SSO enablement and configuration applies across all Vaults in a multi-Vault domain. Learn more about Vault's SSO options in  [Single Sign-on Basics](/en/lr/13975/).

To configure single-sign on, you must:

  1. Create an SSO profile, either [SAML](/en/lr/43346/) or [OAuth2.0 / OIDC](/en/lr/43329/).
  2. Create an [SSO security policy](/en/lr/1985/#sso-security-policy) with the **Single Sign-on** Authentication Type.
  3. Provision users to use SSO.

<div class="note-border alert-important">
  <div class="alert alert-important" role="alert">
    <div><i class="far fa-exclamation-circle"></i></div>
    <div class="alert-text">
      <p><strong>Important</strong>: As a precaution, before making changes to your Vault’s SSO configuration, we recommend you ensure that your Vault has a <em>Vault Owner</em> user with the <em>Domain Admin</em> user setting that uses a different security policy to the one you are changing.</p>
    </div>
  </div>
</div>



## Create an SSO Security Policy

To complete SSO configuration, you must apply a [Single Sign-on security policy](/en/lr/1985/#sso-security-policy) that enables user accounts to use SSO. You can do this by creating a new security policy or changing the settings for an existing policy.

## Provision Users to Use SSO {#provision}

When provisioning new users, you can set them to use SSO by assigning them to an SSO security policy. If you are using a **User ID Type** of **Federated ID**, you must set the **Federated ID** value in the user profile.