# Custom SAML SSO

Use this guide when your provider supports SAML 2.0 but is not listed as a preset.

{/* Screenshot placeholder: /docs/images/sso/providers/custom-saml.png */}

## Provider setup

Create a SAML 2.0 application in your identity provider and configure the Lettermint service provider values from the SSO setup screen.

The provider should return an email address for the user. Lettermint uses the email address to match the managed team domain.

## Lettermint setup

In the Lettermint SSO setup screen, choose **Custom SAML** and enter:

| Field | Description |
|-------|-------------|
| Domain | The verified email domain that should use this provider. |
| Metadata URL | The IdP metadata URL, when available. |
| Entity ID | The IdP entity ID. |
| SSO URL | The IdP sign-in URL. |
| Certificate | The IdP signing certificate. |

Use the metadata URL when your identity provider provides one. It reduces manual configuration and makes certificate rollover easier.

## References

- [OASIS: SAML 2.0 Technical Overview](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html)