# Connecting Identity Providers Identity Providers (IdPs) let your users sign in with their existing corporate credentials instead of managing separate passwords in AccessIQ. ## Supported Providers | Provider | Protocol | Setup Guide | | ---------------- | --------- | ------------------------------------------------------------------------------------ | | Okta | OIDC | [Okta Integration](/accessiq-docs/identity-and-single-sign-on/okta.md) | | Azure Entra | OIDC/SAML | [Azure Entra Integration](/accessiq-docs/identity-and-single-sign-on/azure-entra.md) | | Google Workspace | OIDC | [Google Integration](/accessiq-docs/identity-and-single-sign-on/google.md) | | Auth0 | OIDC | [Auth0 Integration](/accessiq-docs/identity-and-single-sign-on/auth0.md) | | AWS Cognito | OIDC | [AWS Cognito Integration](/accessiq-docs/identity-and-single-sign-on/aws-cognito.md) | | Ping Identity | OIDC/SAML | Contact support | | Custom SAML | SAML 2.0 | Contact support | | Custom OIDC | OIDC | Contact support | ## Adding a Provider 1. Navigate to **Identity & SSO > Identity Providers** 2. Click **Add Provider** 3. Select your provider type 4. Follow the setup wizard — you'll need: * **Client ID** and **Client Secret** from your IdP * **Issuer URL** or **Discovery URL** * **Redirect URI** (provided by AccessIQ) 5. Test the connection 6. Enable the provider ## Authentication Options at a Glance The diagram below shows the sign-in methods available to your users. You can enable any combination of these to match your organization's security requirements. ```mermaid flowchart TD User["User visits login page"] User --> Native["AccessIQ Native Sign-In"] User --> SSO["Corporate SSO"] Native --> PW["Email & Password"] Native --> ML["Magic Link via Email"] Native --> PK["Passkey / Biometric"] Native --> OTP["Email One-Time Code"] SSO --> Okta["Okta"] SSO --> Azure["Azure Entra"] SSO --> Google["Google Workspace"] SSO --> Other["Auth0 / AWS Cognito / Others"] PW --> MFA{"MFA Required?"} ML --> SignedIn["Signed In"] PK --> SignedIn OTP --> SignedIn MFA -- Yes --> MFAMethod["Authenticator App, SMS, or Email Code"] MFA -- No --> SignedIn MFAMethod --> SignedIn Okta --> SignedIn Azure --> SignedIn Google --> SignedIn Other --> SignedIn ``` ## How Users Sign In Once configured, your identity provider appears as a button on the login page. Users click it, authenticate with their IdP, and are redirected back to AccessIQ. ## Just-In-Time (JIT) Provisioning When a user signs in via SSO for the first time, AccessIQ automatically creates their account using information from the IdP (name, email). This is called JIT provisioning. * New users are assigned the default role (typically "Member") * If they have a pending invitation, the invitation's role is assigned instead * Profile information is synced from the IdP on each login ## Primary Provider You can mark one provider as **Primary**. This determines which provider is used for invitations and is highlighted on the login page. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://accessiq.gitbook.io/accessiq-docs/identity-and-single-sign-on/connecting-idps.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.