# SSO setup Help Center | LeasePilot [Help index](/resources/help#step-throughs)02 · Admin Step-through # SSO setup Sign in through your identity provider (Okta, Azure AD, others). Workflow Admin Format Reference Read time 2 min Walkthrough in production We’re still drafting this one. For a live walkthrough on your forms, ask the team that built your platform. Most of the work in setting up SSO happens in your identity provider, where your IT team already configures dozens of other apps. LeasePilot's part is short: a single form your IT admin fills out, the same shape regardless of which IdP you run. From start to working sign-in is usually one working session, not a multi-week rollout. ## 01How it works 1. i.**We send a setup link** to your IT admin during onboarding, or whenever your firm decides to switch SSO on. The link opens a form preconfigured for your account. 2. ii.**Your IT admin fills the form** with connection details from your identity provider — metadata URL, certificate, claim mappings, the usual. The form looks the same whether you run Okta, Azure AD, Google Workspace, OneLogin, or something else. 3. iii.**They finish in the IdP.** Your IT team assigns users or groups to the LeasePilot application and tests sign-in once. Anyone in the assigned group sees the SSO path the next time they sign in. The reason that form is consistent across providers is that LeasePilot uses WorkOS as its SSO layer. If your IT admin has already wired up another tool through WorkOS, the LeasePilot form will look familiar: same fields, same flow. ## 02When something needs to change If your IdP changes, your group assignments shift, or you migrate from one provider to another (Okta to Azure AD, for example), tell your implementation team. We re-send the setup link, your IT admin updates the form, and the new provider takes over without users having to relearn anything. > Note**When SSO is on, LeasePilot passwords stop mattering for those users.** Anyone signing in through your IdP authenticates there every time, so password resets, rotation policies, and shared-password worries belong to your provider rather than to LeasePilot. That's the point. * * * Once SSO is live, the [sign-in flow](/resources/help/demos/sign-in-flow) detects it from the email a user enters and routes them to your IdP automatically. Users who want a second factor on top can still turn 2FA on from [their account](/resources/help/demos/settings-area). See also ## Adjacent step-throughs [Full index](/resources/help#step-throughs) 1. [01 Manage your account Update your details, change your password, and turn on two-factor authentication. Account](/resources/help/demos/settings-area) 2. [02 Sign in to LeasePilot Sign in: email first, then SSO or password, plus 2FA when enabled. Account](/resources/help/demos/sign-in-flow) 3. [03 IP address restrictions Limit who can reach LeasePilot to specific IP addresses or ranges. Admin](/resources/help/demos/security) 4. [04 Manage users Add users, assign roles, set permissions, and deactivate accounts. Admin](/resources/help/demos/user-management) 5. [05 API token View, copy, and rotate the token your integrations use to authenticate with LeasePilot. Admin](/resources/help/demos/api-management) Sign-off ## See it on your forms, not a generic demo. A 30-minute walkthrough, built around your forms, your clauses, and your deal logic. [Schedule a demo](/demo)[Already on LeasePilot? Contact your team](/company/contact?type=support)