# SAML SSO

## Overview

SAML SSO enables organizations to authenticate users in Termius through an external identity provider (IdP).

Instead of managing separate credentials for Termius, users sign in using the same identity system already used across the organization.

This approach centralizes authentication, simplifies user management, and aligns Termius access with existing security and compliance policies.

{% hint style="info" %}
SAML SSO is available as an add-on in the Termius Business plan.
{% endhint %}

### Set up encryption password

Even when signing in with SAML SSO, you still need to set up an **encryption password** in Termius.

This password is used to encrypt and decrypt your data within the Termius app, including credentials, SSH keys, and more. It is separate from your SSO login and is never shared with your identity provider.

Your SAML SSO credentials authenticate your account, while the encryption password protects your data.

{% hint style="warning" %}
Store your encryption password in a password manager. If you forget it and need to reset it, **Termius** **won't be able to decrypt your data**. This means you will lose access to your data and have to start from scratch.
{% endhint %}

{% hint style="info" %}
Find more information about how encryption works in Termius in the [Encryption overview](/security/encryption-overview.md).
{% endhint %}

***

## SAML SSO providers in Termius

Termius uses WorkOS to provide support for a variety of SAML SSO providers. Major providers include Google, Okta, OneLogin, Microsoft Azure Active Directory, Auth0, Duo Security, and many others.

If your preferred SAML SSO provider is not listed, you can opt for Custom SAML SSO or Custom OpenID configurations.

<details>

<summary><strong>SAML SSO providers list</strong></summary>

<table data-header-hidden data-full-width="true"><thead><tr><th>SSO Provider</th></tr></thead><tbody><tr><td>ADP OpenID Connect</td></tr><tr><td>Auth0</td></tr><tr><td>Azure AD SAML</td></tr><tr><td>CAS SAML</td></tr><tr><td>ClassLink</td></tr><tr><td>Cloudflare</td></tr><tr><td>CyberArk SAML</td></tr><tr><td>Duo SSO</td></tr><tr><td>Google SAML</td></tr><tr><td>JumpCloud SAML</td></tr><tr><td>Keycloak</td></tr><tr><td>LastPass</td></tr><tr><td>Microsoft AD FS SAML</td></tr><tr><td>miniOrange</td></tr><tr><td>NetIQ</td></tr><tr><td>Okta SAML</td></tr><tr><td>OneLogin SAML</td></tr><tr><td>Oracle SAML</td></tr><tr><td>PingFederate SAML</td></tr><tr><td>PingOne SAML</td></tr><tr><td>Rippling SAML</td></tr><tr><td>Salesforce</td></tr><tr><td>Shibboleth Generic SAML</td></tr><tr><td>Shibboleth Unsolicited SAML</td></tr><tr><td>SimpleSAML.php</td></tr><tr><td>VMware</td></tr></tbody></table>

</details>

***

## Set up SAML SSO

<figure><img src="/files/D6isdTAnOZuxrgCkZrTb" alt=""><figcaption></figcaption></figure>

SAML SSO is available only as an add-on to the Business plan.

To **set up** SAML SSO:

1. Navigate to the [account management portal](https://account.termius.com/) > `SAML SSO` .
2. Click `Configure now` .
3. Add your domain(s), then click `Configure now` .
4. On the WorkOS setup page, select your identity provider from the list and follow the instructions.

You can make changes to your configuration in `SAML SSO` > `Configure Provider` within the WorkOS settings page.

### Test your SAML SSO configuration with Termius

By default, once SAML SSO is set up, your account is in the hybrid mode - you already can use SAML SSO but you still have an option to log in with email and encryption password as a fallback.&#x20;

**To test your SAML SSO configuration:**

1. Ensure the test session on the WorkOS side passes successfully.
2. Log out of your Termius account.
3. Click `Continue with SAML SSO` on the login page.
4. Enter your work email address and click `Continue`.
5. You will be redirected to your identity provider's login page. Enter your credentials and log in.
6. If the configuration is successful, you will be redirected back to Termius and logged in via SAML SSO.

{% hint style="success" %}
After the successful test, you can **enforce** SAML SSO for your team by enabling the `Require to log in with SSO` toggle.
{% endhint %}

## Disable SAML SSO

You have an option to disable SAML SSO temporarily or completely.&#x20;

If you have issues with your provider and want to disable SAML SSO only temporarily, just disable the toggle `Require to log in with SSO`. Once disabled, you will be able to use just your email address and encryption password as a fallback.&#x20;

If you want to deactivate SAML SSO completely:&#x20;

1. Disable the toggle `Require to log in with SSO`.
2. Remove your configuration via `SAML SSO` > `Configure Provider` within the WorkOS settings page.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.termius.com/administration/saml-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.