# Identity Provider

## What is Identity provider?

An Identity provider (IdP) allows you to manage platform access through your organization's existing security infrastructure. This ensures that only authorized employees can log in to Ebbot using their official work accounts.

## Configuring an Identity provider in Ebbot

**Part 1: Configure your organization settings**

Before configuring a specific identity provider, you need to set up your organization settings. This ensures that users logging in via Single Sign-On (SSO) are correctly associated with your organization.

1. Navigate to Settings > Security > Identity Providers.
2. Under Organization Settings, define your Organization Slug. This is a unique identifier for your organization used in URLs (e.g., `demo`).
3. Set the Default Role for new users who sign up through this organization (e.g., `Chat user`).
4. In the Domains section, add all the domains that should be associated with your organization for SSO discovery (e.g., `example.com`).
5. Click Save.

**Part 2: Configuring an Identity provider**

Choose one of the following providers to connect.

{% tabs %}
{% tab title="Google" %}
**Configure Google Login**

Step I: Locate Your Redirect URI

* From the Identity Provider Settings, select the Google tab.
* Copy the Redirect URI provided. It will look something like this: `https://account.ebbot.eu/realms/ebbot/broker/ebxn4o.../endpoint`
* You will need this URL during the Google Cloud Console setup process.

Step II: Access the Google Cloud Console

* Go to <https://console.cloud.google.com/>.
* Select a project or create a "NEW PROJECT".

Step III: Set up OAuth Consent Screen

1. In the left menu, navigate to APIs & Services > OAuth consent screen.
2. Choose a User Type (e.g., Internal for Google Workspace or External).
3. Fill in the required information, including:
   * App name
   * User support email
   * Application home page
   * Authorized domains
   * Developer contact information

Step IV: Create OAuth 2.0 Credentials

1. Go to "Credentials" in the left menu.
2. Click "CREATE CREDENTIALS" and select "OAuth client ID".
3. For Application type, select "Web application".
4. Under "Authorized redirect URIs", click "ADD URI" and paste the Redirect URI you copied in Step I.
5. Click "Create". You will now be provided with a Client ID and a Client Secret.

Step V: Connect in the Application

1. Return to the Identity Provider Settings in your application.
2. Paste the Client ID and Client Secret into their respective fields.
3. (Optional) Fill in the Prompt and Hosted Domain fields if needed.
4. Click Connect.
   {% endtab %}

{% tab title="Microsoft" %}
**Configure Microsoft Login**

Step I: Locate Your Redirect URI

* From the Identity Provider Settings, select the Microsoft tab.
* Copy the Redirect URI provided. You will need this for the Microsoft Entra setup.

Step II: Access the Microsoft Entra Admin Center

* Go to <https://entra.microsoft.com/>.

Step III: Register Your Application

1. Navigate to Applications > App registrations in the left menu.
2. Click "+ New registration".
3. Enter the following information:
   * Name: A name for your application.
   * Supported account types: Choose who can use this application.
   * Redirect URI: Select "Web" and paste the Redirect URI you copied in Step I.
4. Click "Register".

Step IV: Configure Authentication and Tokens

1. After the app is created, go to "Authentication" in the left menu.
2. Under "Platform configurations", verify that the Redirect URI is correct.
3. Under "Advanced settings":
   * Set "Access tokens" to Yes.
   * Set "ID tokens" to Yes.
4. Save the changes.

Step V: Generate a Client Secret

1. In your app registration menu, go to "Certificates & secrets".
2. Click "+ New client secret", give it a description, and set an expiration.
3. Copy the Value of the newly created secret immediately. This is your Client Secret.

Step VI: Connect in the Application

1. Return to the Identity Provider Settings.
2. Paste the Client ID (also known as Application (client) ID from the "Overview" page in Entra) and the Client Secret you just generated into the appropriate fields.
3. Enter your Tenant ID (found on the "Overview" page in Entra).
4. (Optional) Fill in the Prompt field.
5. Click Connect.
   {% endtab %}

{% tab title="SAML 2.0" %}
**Configure SAML v2.0**

Step I: Locate Service Provider Details

* From the Identity Provider Settings, select the SAML v2.0 tab.
* You will find two important URLs:
  1. Redirect URI (or Single Sign-On URL/ACS URL): `https://account.ebbot.eu/realms/ebbot/broker/ebxn4q.../endpoint`
  2. Service Provider Entity ID (or Audience URI): `https://account.ebbot.eu/realms/ebbot`
* You will need these URLs to configure your SAML identity provider.

Step II: Configure Your SAML Provider

1. Access your SAML identity provider's admin console (e.g., Okta, Auth0, ADFS).
2. Create a new SAML application or integration.
3. Configure the following settings within your provider:
   * Single Sign-On URL / ACS URL: Use the Redirect URI from Step I.
   * Audience URI / SP Entity ID: Use the Service Provider Entity ID from Step I.
   * Name ID Format: `Email Address` is recommended.
   * Attributes/Claims: Configure attributes to be sent, such as `email` and `name`.

Step III: Configure the Form Fields

1. Once the application is configured in your SAML provider, it will generate metadata. Locate the SAML Descriptor URL (also known as metadata URL) from your provider.
2. Return to the Identity Provider Settings in your application.
3. Paste your provider's Service Provider Entity ID into the corresponding field.
4. Paste the SAML Descriptor URL from your provider into its field.

Step IV: Save and Test

1. Click Connect to save the configuration.
2. Test the SSO login flow to ensure it works correctly.
   {% endtab %}
   {% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ebbot.ai/ebbot-docs/integrations/authentication-sso/identity-provider.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.