The Single Sign-On (SSO) integration enables organizations to authenticate users through their preferred identity provider. It connects Drata to your enterprise identity provider so your team can securely access Drata using centralized authentication and identity management.
Key Capabilities
Centralized authentication: Allow users to log in to Drata using your identity provider
Identity provider enforcement: Restrict access based on users and groups synced from your IdP
Secure login management: Standardize authentication using enterprise SSO policies
This integration is used to enforce identity and access management controls, helping support compliance with access control and authentication policies.
Prerequisites & Data Access
Admin access to your organization’s identity provider (SSO provider)
A supported identity provider such as:
A supported identity provider such as:
Entra ID (Azure AD)
Google Workspace
ADP
Auth0
CAS
ClassLink
Cloudflare
CyberArk
Duo
JumpCloud
Keycloak
LastPass
Microsoft AD FS
miniOrange
NetIQ
OneLogin
Oracle
PingFederate
PingOne
Rippling
Salesforce
Shibboleth
Shibboleth Unsolicited
SimpleSAMLphp
VMware
Important requirement:
You must connect an Identity Provider (IdP) to Drata before enabling SSO login.
The SSO connection option will remain disabled on the Connections page until an IdP integration is connected.
Once SSO is enabled, all Drata logins—including administrators—are enforced by the identity provider and restricted to users synced from the IdP
Permissions & Data Table
Permission/Scope | Why It’s Needed |
Identity provider admin access | Required to configure SSO settings and authorize the connection |
IdP connection in Drata | Required before enabling the SSO login integration |
WorkOS authentication configuration | Enables Drata to connect with the SSO provider |
Step-by-Step Setup
Step 1: Connect an Identity Provider (IdP)
Before setting up SSO login, you must first connect your Identity Provider integration to Drata.
Log in to Drata.
Navigate to the Connections page.
Search for your Identity Provider (for example, Entra ID, Okta, Google Workspace, etc.).
Complete the IdP connection process.
Expected outcome:
Your identity provider is connected to Drata and user identities are synced.
Step 2: Start the SSO Connection
Log in to Drata.
Navigate to the Connections page.
Search for Single Sign-On (SSO).
Start the SSO connection process.
Expected outcome: The SSO setup flow opens.
Step 3: Configure SSO Through WorkOS
When prompted, follow the setup instructions shown in the connection flow.
You will be redirected to the WorkOS configuration page.
Select your SSO provider.
Log in to your identity provider as an administrator.
Follow the configuration steps to create and configure the SSO application within your provider.
Expected outcome: The SSO application is configured in your identity provider.
Step 4: Complete the Connection
After finishing the configuration steps, return to Drata.
Click the Drata logo in the top-left corner if prompted to return to the application.
The SSO connection will complete automatically.
Expected outcome: The SSO connection is successfully established.
Reconnecting an Existing SSO Connection
If you need to reconfigure the SSO integration:
Navigate to the SSO connection on the Connections page.
Select Reset Connection.
Recreate the Enterprise Application in your identity provider using the new credentials.
Select Test sign-in to verify that authentication works correctly.
Click the Drata logo to finalize the connection.
Expected outcome: The SSO connection is successfully reconfigured and sign-in is validated.
Important Notes
The Identity Provider connection must be configured before the SSO connection can be enabled.
The SSO connection uses WorkOS to facilitate authentication with supported providers.
Once SSO is enabled, all Drata authentication is controlled by the identity provider.
Always perform a Test sign-in when reconnecting or resetting the SSO configuration to confirm authentication is working correctly.