> ## Documentation Index
> Fetch the complete documentation index at: https://support.pexcard.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Corporate SSO via SAML 2.0

> Single Sign On (SSO) allows users to sign into multiple applications using an identity provider login. PEX supports this functionality via the Security Assertion Markup Language (SAML 2.0) open standard.

<Note>
  **Note:**

  This setup process should be performed by an IT administrator.
</Note>

SSO is currently not supported on mobile devices.

### Prerequisites

<Steps>
  <Step>
    You have configured an enterprise workspace that supports SAML 2.0 SSO, and allows you to download a Base64 signing certificate. Common SSO providers include [Okta](https://www.okta.com), [OneLogin](https://www.onelogin.com), [Auth0](https://auth0.com), [Google Workspace](https://workspace.google.com), and [Azure Active Directory](https://azure.microsoft.com/en-us/services/active-directory/?\&ef_id=Cj0KCQiA0eOPBhCGARIsAFIwTs7Lcz8XbG-IcKrdVGbmhQETwnYkH8zzCZ-J8TO9BDhSKuckztpbxDUaAhqmEALw_wcB:G:s\&OCID=AID2200277_SEM_Cj0KCQiA0eOPBhCGARIsAFIwTs7Lcz8XbG-IcKrdVGbmhQETwnYkH8zzCZ-J8TO9BDhSKuckztpbxDUaAhqmEALw_wcB:G:s\&gclid=Cj0KCQiA0eOPBhCGARIsAFIwTs7Lcz8XbG-IcKrdVGbmhQETwnYkH8zzCZ-J8TO9BDhSKuckztpbxDUaAhqmEALw_wcB).
  </Step>

  <Step>
    Ensure that your PEX cardholders and administrators set their usernames to be the NameID (typically an email address) associated with your identity provider. PEX users can change their usernames in My Profile.
  </Step>
</Steps>

### How to configure SSO for your PEX account

<Steps>
  <Step>
    Create a new application for PEX Dashboard on your identity provider. PEX is currently not available through identity provider application marketplaces, so you will need to create a custom application.
  </Step>

  <Step>
    Add all cardholders as users or add a group containing all cardholders to the PEX Dashboard application on your identity provider.
  </Step>

  <Step>
    Provide the below PEX URL as both the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) on your identity provider SSO - SAML 2.0 configuration screen: \
    ***[https://coreapi.pexcard.com/internal/v4/sso/saml/login](https://coreapi.pexcard.com/internal/v4/sso/saml/login)***
  </Step>

  <Step>
    Download the SAML 2.0 Base64 signing certificate for the PEX application from your identity provider
  </Step>

  <Step>
    Log in as an admin to [dashboard.pexcard.com](http://dashboard.pexcard.com?utm_source=support)
  </Step>

  <Step>
    Navigate to Business Settings - Security, [https://dashboard.pexcard.com/business-settings/security](https://dashboard.pexcard.com/business-settings/security?utm_source=support)
  </Step>

  <Step>
    Upload the SAML 2.0 signing certificate file downloaded from your identity provider.

    <Frame>
      <img src="https://mintcdn.com/pextest/z-xo8Ba3fU4n84SS/images/administrator-guide/image-105.png?fit=max&auto=format&n=z-xo8Ba3fU4n84SS&q=85&s=3098363926a2f64fc76e405ef0b17498" alt="image2.png" width="1263" height="458" data-path="images/administrator-guide/image-105.png" />
    </Frame>
  </Step>

  <Step>
    Your signing certificate should now be associated with your PEX business, and can be managed in the Business Settings - Security section.

    <Frame>
      <img src="https://mintcdn.com/pextest/z-xo8Ba3fU4n84SS/images/administrator-guide/image-106.png?fit=max&auto=format&n=z-xo8Ba3fU4n84SS&q=85&s=db621fb1f8ea26e2a18ef1377d9d17d6" alt="image.png" width="1268" height="370" data-path="images/administrator-guide/image-106.png" />
    </Frame>
  </Step>

  <Step>
    Send users to the SSO applications screen for your identity provider and have them select the PEX Dashboard app to automatically log them into PEX using their SSO.
  </Step>
</Steps>

### Frequently Asked Questions

<AccordionGroup>
  <Accordion title="Can I import my IdP metadata to configure SAML 2.0 SSO in PEX?">
    This feature is not currently supported, but will likely be implemented in the future.
  </Accordion>

  <Accordion title="How does Multi-Program Access (MPA) work with SAML 2.0 SSO?">
    Businesses that use MPA/linked businesses should configure SSO in their “primary” PEX business where users should be set up with the same username as in their identity provider. They should use SSO to log into that business, and use MPA to access linked businesses.
  </Accordion>

  <Accordion title="Does PEX support Response Signing?">
    No. PEX does not support Response Signing (Note: Okta turns this on by default).
  </Accordion>

  <Accordion title="Does PEX support Assertion Encryption?">
    No. PEX does not support Assertion Encryption.
  </Accordion>

  <Accordion title="Does PEX support SCIM Connector?">
    No. PEX does not support SCIM Connector.
  </Accordion>
</AccordionGroup>
