> ## Documentation Index
> Fetch the complete documentation index at: https://docs.spacemedia.uk/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO Identity Provider

> Use SpaceMedia as the OAuth identity provider for an external application, generate client credentials, and configure JWT handoff settings.

# SSO Identity Provider

Identity SSO lets an organization admin use SpaceMedia as the identity provider for an organization-owned application.

## Admin flow

1. Enter the external application's redirect URI.
2. Generate the OAuth client for the organization.
3. Store the returned client credentials securely.
4. Optionally configure JWT return settings when the external app expects JWT handoff.
5. Enable or disable the identity SSO configuration from the dashboard.

## Generated OAuth fields

| Field                 | Meaning                                              |
| --------------------- | ---------------------------------------------------- |
| `client_id`           | Organization OAuth client identifier.                |
| `client_secret`       | Organization OAuth client secret. Store it securely. |
| `oauth_client_id`     | OAuth client ID persisted for the organization.      |
| `oauth_client_secret` | OAuth client secret persisted for the organization.  |
| `redirect_uri`        | External app redirect URI.                           |

## JWT fields

| Field            | Meaning                            |
| ---------------- | ---------------------------------- |
| `jwt_secret`     | Secret used for JWT handoff.       |
| `jwt_return_url` | URL that receives the JWT handoff. |

## Access boundary

Only organization admins can manage identity SSO. API examples must not expose client secrets, JWT secrets, or return URLs from real organizations.
