> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure SAML SSO

> Step-by-step instructions for configuring SAML-based Single Sign-On for your CoreWeave organization

## Prerequisites

To configure SAML SSO, you need an active CoreWeave account and admin permissions.

## Configure SAML SSO for your organization

This section explains how to set up SAML single sign-on (SSO) for your organization so members can authenticate through your identity provider (IdP) instead of CoreWeave credentials. You can configure SAML SSO policies for CoreWeave Kubernetes Service (CKS) manually or with a metadata URL. Choose the method that matches what your IdP exposes.

<Warning>
  SAML responses and assertions must both be signed by your IdP.
</Warning>

<Tabs>
  <Tab title="Configure manually">
    ### Configure SSO manually

    Use the manual configuration when your IdP doesn't publish a metadata URL or when you prefer to enter each value yourself. Before you configure the SSO policy manually, gather the following information from your identity provider (IdP):

    * The IdP's SSO URL.
    * The IdP's unique Entity ID.
    * An X.509 security certificate provided by your IdP.

    To configure SSO manually:

    1. In Cloud Console, go to [SAML SSO configuration](https://console.coreweave.com/organization/iam/sso) and click the **Configure SAML** button.
    2. Select the **Manual Configuration** tab:
           <img src="https://mintcdn.com/coreweave-dbfa0e8d/2BnXXLfUdb578krj/security/authn-authz/_media/sso-manual.png?fit=max&auto=format&n=2BnXXLfUdb578krj&q=85&s=80052191af71ee7d1b9372244b1a6329" alt="Manual Configuration tab in the SAML SSO setup dialog." width="612" height="75" data-path="security/authn-authz/_media/sso-manual.png" />
    3. Enter the SSO URL, the Entity ID, and the provided X.509 security certificate.
    4. Click the **Next** button.
    5. Confirm the information in the dialog boxes is correct.
    6. Click the **Deploy SSO** button to activate the policy.

    The SSO policy is now active for your organization. To complete the integration, add specific attributes to the IdP so CoreWeave can identify each user. For more information, see the [Add attributes to the IdP](#add-attributes-to-the-idp) section.
  </Tab>

  <Tab title="Configure with metadata">
    ### Configure SSO with a metadata URL

    Use a metadata URL when your IdP publishes one. This method lets CoreWeave read the SSO URL, Entity ID, and certificate automatically, which reduces the chance of transcription errors. To configure SSO with an SSO metadata URL, obtain the SSO metadata URL from your IdP, then complete the following steps:

    1. In Cloud Console, go to [SAML SSO configuration](https://console.coreweave.com/organization/iam/sso) and click the **Configure SAML** button.
    2. Select the **Metadata URL** tab:
           <img src="https://mintcdn.com/coreweave-dbfa0e8d/2BnXXLfUdb578krj/security/authn-authz/_media/sso-metadata.png?fit=max&auto=format&n=2BnXXLfUdb578krj&q=85&s=c49778248384c32233c281e58e745207" alt="Metadata URL tab in the SAML SSO setup dialog." width="612" height="75" data-path="security/authn-authz/_media/sso-metadata.png" />
    3. Enter the metadata URL.
    4. Click the **Next** button.
    5. Confirm the information in the dialog boxes is correct.
    6. Click the **Deploy SSO** button to enable the policy.

    The SSO policy is now active for your organization. To complete the integration, add specific attributes to the IdP so CoreWeave can identify each user. For more information, see the [Add attributes to the IdP](#add-attributes-to-the-idp) section.
  </Tab>
</Tabs>

## Add attributes to the IdP

CoreWeave uses these attributes to identify each user who signs in through SSO. After you deploy the SSO policy, add the following attributes to your IdP:

| Key          | Description                      |
| ------------ | -------------------------------- |
| `email`      | User's email (unique identifier) |
| `first_name` | User's first name                |
| `last_name`  | User's last name                 |

## Manage the SSO policy

After the initial setup, you can return to the SAML SSO configuration page to review or change the policy. The configuration dialog displays the policy's information and lets you manage it with the following buttons: **Disable SAML**, **Enable SAML**, and **Edit**.

## Access the SSO login page

After you configure SSO for your organization, direct users to sign in with your organization's dedicated SSO login URL.

The SSO login URL follows a standard format that includes your organization's unique ID directly before the final `/login` path segment.

To access the SSO login URL:

1. In Cloud Console, go to [Account Settings](https://console.coreweave.com/account/settings) and find your CoreWeave **Org ID**.

2. Replace `[ORG-ID]` in the following example with your Org ID.

   ```text theme={"system"}
   # Replace `[ORG-ID]` with your Org ID.
   https://console.coreweave.com/accounts/saml/[ORG-ID]/login
   ```

   **Example**

   If your Org ID is `abc123`, your SSO login URL is:

   ```text theme={"system"}
   https://console.coreweave.com/accounts/saml/abc123/login
   ```

3. Share this URL with your team so they can sign in with your SSO configuration.

Users who visit this URL are redirected to your IdP to authenticate, then returned to Cloud Console.