# SAML Protocol Configuration Options The following options are available when [setting up an identity provider that uses the SAML 2.0 protocol](https://documentation.immuta.com/saas/~/changes/l3NnvynMHxi6VvqRtJhK/people/section-contents/how-to-guides/enable-saml). * **Allow identity provider initiated single sign on**: When enabled, users authenticate once in their identity provider and can log in to Immuta. * **Allow identity provider initiated single logout**: When enabled, users can log out of Immuta or their identity provider and simultaneously log out of other applications. Additional configuration settings will appear when this checkbox is selected: * **Logout URL**: The URL of your single sign on application that will be redirected to after you log out of Immuta, as some identity providers differentiate between the logout and authorization URLs. * **SLO binding URL**: The URL Immuta displays that you can add to your identity provider to specify where to send requests or responses to Immuta's SLO requests. * **Encryption private key**: An optional private key to encrypt requests. * **Decryption private key**: The private key for decrypting attribute assertions from the identity provider. * **Display name**: The internal ID of the identity manager in Immuta. This setting cannot be changed once the configuration is saved. * **Entry point**: The URL of your single sign on application that the Immuta login page will redirect to. * **External groups and attributes endpoint**: A REST endpoint that Immuta will use to retrieve a user's groups and attributes. * **Issuer**: The URL of the identity provider that issues assertions for authentication. * **Migrate users**: Migrate users from a previously configured identity provider to the current identity provider. * **SCIM support**: When enabled, your identity provider automatically creates new users in Immuta and updates existing user accounts, whether or not users log in to Immuta. When you click this checkbox, Immuta generates a SCIM API key. * **Signing certificate**: Your identity provider's public signing certificate. * **Sync attributes from SAML to Immuta**: Allows attributes added in your identity provider to be synced with Immuta. * **Attribute delimiter**: The character used to split values in a string of attributes. After enabling sync attributes, providing delimiters for attributes is required. * **Attribute prefix**: The prefix used for attribute keys. * **Sync groups from SAML to Immuta**: Allows groups added in your identity provider to be synced with Immuta. * **Group attribute**: The attribute that contains the user's group. Enable sync groups from SAML to Immuta to make this option available. * **User ID attribute**: The attribute that contains the user's username. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.immuta.com/saas/~/changes/l3NnvynMHxi6VvqRtJhK/people/section-contents/reference-guides/reference.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.