# SSO/SAML #### What is SSO (and SAML)? * SSO: One secure login to access all your tools. * SAML: An industry-standard protocol that lets your Identity Provider (IdP) (e.g., Okta, Microsoft Entra ID/Azure AD, Google Workspace, OneLogin, Ping) authenticate users for Kernel without new passwords. #### Why it matters * Stronger security: Enforce MFA, conditional access, and identity policies centrally via your IdP. * Fewer passwords: Reduce password fatigue and the risk of credential reuse/phishing. * Faster access: Users sign in once and get in—no account creation or password resets. * Better compliance: Centralized identity controls help meet SOC 2, ISO 27001, GDPR requirements. #### Key benefits Security & Compliance * MFA everywhere: Use your existing MFA, risk-based sign-in, and device posture checks. * Least-privilege by default: Access is gated by your IdP group/role assignments. * Audit-ready: Authentication logs live in your IdP. Easier evidence collection for audits. * Rapid offboarding: Disable access in one place; it propagates instantly. * Data minimization: Authentication delegated to your IdP via SAML; Kernel doesn’t store user passwords. * Standards-based: SAML 2.0 compatibility with leading IdPs. Admin & IT Efficiency * Zero new password lifecycle: No password resets or account provisioning tickets. * Centralized control: Manage access by groups and roles in your IdP. * Consistent policy enforcement: Apply conditional access and geo/IP rules once. * Scale-ready: Add or remove users as your org changes—no app-by-app bookkeeping. Employee Experience * One-click access: Users already logged into their IdP get straight into Kernel. * No new credentials: Less friction, less confusion, less downtime. * Familiar flow: Works with the same login experience your team already uses. #### FAQ Will this work with our IdP? * Yes - Kernel can support Okta, Microsoft Entra ID (Azure AD), Google Workspace, OneLogin, Ping, and other SAML 2.0 providers. Does Kernel support password authentication? * No, currently we only support logic with a OTP code sent via email and SSO. SAML can be turned on should you require it. What does Kernel use for the SSO/SAML? * We have built this with WorkOs - a leader in the field. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.kernel.ai/security/sso-saml.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.