# Authentik SSO

Learn how to connect your Authentik app with Better Stack to enable single sign-on (SSO) for you and your colleagues.

### SSO setup

1.  Go to [Single Sign-On configuration](https://betterstack.com/settings/sso ";_blank").
2.  Click **Connect** on the **Generic SAML SSO** panel and select **Authentik**.
3.  Note the **Entity ID** and **ACS URL**. You will need them in a moment.

#### In Authentik

1.  Sign in to your Authentik administration.
2.  In the left menu, go to **Customization -> Property Mappings**.
3.  Click **Create**, select **SAML Property Mapping**, and enter the following:
    *   **Name**: `email`
    *   **SAML Attribute Name**: `email`
    *   **Expression**: `return request.user.email`
4.  Click **Finish**.
5.  In the left menu, go to **Applications -> Providers**.
6.  Click **Create**, select **SAML Provider**, and enter the following:
    *   **Name**: The **Entity ID** from Better Stack.
    *   **Authentication flow**: Select the default authentication flow.
    *   **Authorization flow**: Select the default provider authorization flow.
    *   **ACS URL**: The **ACS URL** from Better Stack.
    *   **Issuer**: `betterstack`
    *   **Service Provider Binding**: **Redirect**
7.  Open **Advanced protocol settings**:
    *   For **Signing Certificate**, select `authentik Self-signed Certificate`.
    *   In **Property mappings**, select the `email` mapping you just created.
8.  Click **Finish**.
9.  In the left menu, go to **Applications -> Applications**.
10. Click **Create** and enter the following:
    *   **Name**: `Better Stack`
    *   **Slug**: `better-stack`
    *   **Provider**: Select the provider you just created.
11. Click **Create**.
12. In the left menu, go to **Applications -> Providers** and click on your newly created provider.
13. Copy the **SSO URL (Redirect)**.
14. Go to the **Metadata** tab and copy the content of the `<ds:X509Certificate>` element.

#### In Better Stack

1.  Paste the **SSO URL (Redirect)** into the **Identity Provider Single Sign-On URL** field.
2.  Paste the certificate content into the **X.509 Certificate** field.
3.  Click **Connect**. You will be redirected to Authentik to sign in.

You're done. Your Authentik Single Sign-On is now configured.