# Single Sign-On

{% hint style="info" %}
A license is required to enable Single Sign-On. For more information, [contact DNAnexus Sales](mailto:sales@dnanexus.com).
{% endhint %}

Using identity management services like [PingIdentity](https://www.pingidentity.com/en.html) PingOne, [Okta](https://www.okta.com/), and [OneLogin](https://www.onelogin.com/), DNAnexus users within your organization can use their [Active Directory](https://en.wikipedia.org/wiki/Active_Directory) or [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)-based accounts to log into DNAnexus.

## How do users register their SSO accounts on DNAnexus for the first time?

DNAnexus supports SSO just-in-time provisioning of accounts authorized by the identity provider. When the user logs in via their identity management SSO portal, DNAnexus automatically creates a new account if necessary, and links it to the identity sent by the identity provider.

## How do users begin the SSO login process?

To log in, users should first access their identity management SSO portal and select the DNAnexus application. They are then automatically redirected into the DNAnexus Platform.

## Can SSO users log in through the DNAnexus login page?

This process (known as SP-initiated SSO) is not yet supported. Users see an error message prompting them to instead log in through their identity management SSO portal.

## Are there any differences between features available to SSO users compared to regular users?

Yes. SSO users cannot change their email address or password, or enable 2-Factor Authentication on the DNAnexus website. Users should use the identity management service to configure these options instead.

## How can administrators control who can sign in using SSO?

Use the administrative management console for your identity management service to manage your organization's SSO users.

## Is single logout (SLO) supported?

No, single logout is not yet supported. Contact [DNAnexus Support](mailto:support@dnanexus.com) to request this feature.

## Is IdP-initiated SSO supported?

Yes. To log in, users should first access their identity management SSO portal and select the DNAnexus application. They are then automatically redirected into the DNAnexus Platform.

## Is SP-initiated SSO supported?

No, SP-initiated login is not yet supported. Contact [DNAnexus Support](mailto:support@dnanexus.com) to request this feature.

## Are SSO users automatically added to their DNAnexus organization and billing account?

No, this process is manual. Contact [DNAnexus Support](mailto:support@dnanexus.com) to request that a user be added to an organization.

## How can SSO users log in using the command line client `dx`?

When trying to log in with `dx login`, SSO users receive this message:

```
dx: Login error: SSORequiredError: The user is registered via single sign-on
 and may only log in through the identity provider, code 403
```

To use the command line with an SSO-enabled account, first create an API token on the DNAnexus Platform website. Click on the user name and navigate to the **Profile**, then click **API Tokens** and create a new token. Then specify the token on the command line using `dx login --token TOKEN`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.dnanexus.com/admin/single-sign-on.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.