> ## Documentation Index > Fetch the complete documentation index at: https://docs.getlago.com/llms.txt > Use this file to discover all available pages before exploring further. # Single Sign-On (SSO) ## Google SSO Lago integrates with Google Single Sign-On (Google SSO), enabling your team to access Lago using their existing Google credentials. This seamless integration allows team members to log in with their corporate Gmail accounts, eliminating the need for additional usernames and passwords. This streamlines the login process and enhances security by leveraging Google's authentication infrastructure. ## Okta SSO **PREMIUM ADD-ON** ✨ This add-on is available on demand only. Please [**contact us**](mailto:hello@getlago.com) to get access to this premium add-on. Lago integrates with Okta Single Sign-On (Okta SSO), enabling your team to access Lago using their existing Okta credentials. ### Mandatory Okta settings ### Configure an Authorization Server 1. Log in to your Okta Admin Console. 2. Navigate to **Security** → **API** → **Authorization Servers**. 3. Create a new server by clicking **Add Authorization Server**. 4. Name: Choose a name for the auth server (e.g., `Lago`) 5. Audience: Enter the audience value which is usually your app’s base URL (e.g., `https://app.getlago.com` or `https://eu.getlago.com`) 6. Description: Optional field to describe the auth server ### Create scopes Scopes define the level of access the app is requesting 1. In the Authorization Server details, click on Scopes tab. 2. Add a new scope that your app requires: 3. Name: `user_info` 4. Display name: Access user info 5. Description: This allows you to use user info to sign-in/sign-up to the app 6. User consent: Implicit 7. Default scope: False ### Create an application and settings 1. Go to your Okta Admin Console. 2. Navigate to **Applications** → **Applications** 3. Create a new application by clicking **Create App Integration** 4. **Sign-in method**: Define the method as `OIDC - OpenID Connect` & `Web Application` 5. **Grant type**: Check the `Refresh token` option 6. **Sign-in redirect URLs**: Enter the sign-in redirect value which is usually your app’s base URL with these values (e.g., `https://app.getlago.com/auth/okta/callback` or `https://eu.getlago.com/auth/okta/callback`) 7. **Assignments**: Define the assignment option based on your policy Once created, please ensure the `Refresh tokens behaviour` is set to `Use persistent token` ### Connect Lago to Okta To connect Lago to Okta, please follow these steps: 1. Go to your Lago Settings view. 2. Access the Authentication section. 3. Domain name: usually your app base URL (e.g., `acme.com`) 4. Application client ID: Public identifier for the client that is required for all OAuth flows. 5. Application client secret: Secret generated by Okta for this application 6. Okta organization name: Name of your organization (e.g., for a trial account `trial-5875810`) Once all these setups are complete, don’t forget to add users to your Okta account and verify their accounts. ### Log in to Lago or join an existing organization Once this integration is switched on, it allows team members to log in or join an existing organization with their corporate Okta accounts, eliminating the need for additional usernames and passwords. This streamlines the login process and enhances security by leveraging Okta’s authentication infrastructure. ### Edit or delete Okta's connection Once this integration is switched on, you can edit the connection information or delete it. Please note that once deleted, you won't be able to access Lago via Okta SSO. Use the Forgot password feature to regain access to your account. ## Login Method Enforcement As an organization admin, you can control which authentication methods are allowed for your team. This feature helps maintain security compliance by enforcing specific login methods across your organization. ### Managing Authentication Methods Admins can configure allowed login methods from the **Organization Settings / Authentication** tab: 1. Navigate to your organization settings 2. Click on the **Authentication** section 3. Enable or disable login methods such as: * Password login * Google OAuth * Okta SSO (if connected) Only enabled methods will be available to users for login.