## Overview
You can use any Identity Provider that supports the [SAML 2.0](https://en.wikipedia.org/wiki/SAML_2.0) protocol in order to authenticate users via single sign-on (SSO) on Mailtrap.
Mailtrap automatically creates users using just-in-time provisioning when a user logs in with Mailtrap SSO.
{% hint style="info" %}
SSO is available only for users on Enterprise plans.
{% endhint %}
## How to enable SAML SSO in Mailtrap
{% hint style="warning" %}
Only the Account Owner has access to enable/disable SAML on an account.
{% endhint %}
To enable the SAML configuration for the Mailtrap account - go to **Settings** > **Account settings** > **SSO** to [open the SSO tab](https://mailtrap.io/settings/account?current_tab=sso) and add/edit the SAML configuration.
{% stepper %}
{% step %}
**Add and verify the domain**
* Enter your domain in the Domain field and click the **Add Domain** button.
* In the displayed table, you will find the record and its value generated by Mailtrap.
* Go to your domain settings page, select Manage DNS, and choose TXT from the list of options (for details, consult your domain provider documentation).
* Copy the authentication key generated by Mailtrap from the *Value* column and paste it to your TXT record.
* Once completed, get back to Mailtrap and click the **Verify** button for this domain. The status should change to *Active*.
{% endstep %}
{% step %}
**Configure SSO**
* Choose whether you want to enforce SSO sign-in for users provisioned by SSO. When enabled, users whose sign-in is provisioned by SSO won't be able to sign in using any method except SSO.
* Choose whether you want to create a separate free account for users provisioned by SSO. When enabled, new users won't get a separate account. When disabled, each new user will also get a separate account in addition to the one they get via SSO. Applies to newly provisioned users only.
{% endstep %}
{% step %}
**Mailtrap → Identity Provider**
**You'll need to provide the following to Mailtrap from your Identity Provider:**
* IdP Entity ID (Identity Provider Issuer)
* Single Sign-on URL
* Optional: Single Logout Service (SLO) URL
* X509 Certificate
{% endstep %}
{% step %}
**Identity Provider → Mailtrap**
**You'll need to provide the following SAML Provider details to your Identity Provider from Mailtrap:**
* Entity ID
* Assertion Consumer Service URL
* Single Logout Service URL
{% endstep %}
{% step %}
**Role mapping**
By default, users created in Mailtrap via SSO have roles with empty permission, so users cannot View or Edit any projects or sandboxes. In this case, you can assign permissions manually within Mailtrap User Management.
To map your IdP roles to roles in Mailtrap, you need to create a mapping in the **SAML Role Mapping** section in Mailtrap.
In the example above, a user with the IdP attribute "MtRoleFromAppProfile" and the name "admin" (which should be configured as Attributes in the IdP) should be assigned the "Admin" role in Mailtrap.
You have the option to enforce IdP role mapping on every sign-in. That way, Mailtrap will fetch a new role from the IdP provider to check for any changes on its side. IdP provider **should sign out** of Mailtrap so that we can fetch the updated role attribute.
{% endstep %}
{% endstepper %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.mailtrap.io/account-and-organization/management/sso.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.