---
locale: "en"
updated_at: "2026-06-30T14:44:08.344Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/guides/sso/install-configure-sso"
---

# Install & configure the SSO Service

Setup the service, configure the DNS.

## Overview

UserLock Single Sign-On (SSO) acts as an Identity Provider (IdP) for SAML and OIDC-compatible platforms.
It allows users to **authenticate once with their Windows credentials** and access multiple web or SaaS applications without re-entering their password.

This guide explains how to install the SSO service, configure DNS, and activate SSO within UserLock.

## Requirements

The server hosting the UserLock SSO service must meet the following prerequisites:

| **Component** | **Requirements** |
| --- | --- |
| **Operating system** | Windows Server 2012 R2 or later |
| **Frameworks** | Microsoft .NET Framework 4.7.2 and .NET 8.0 or higher |
| **Network** | The SSO server must be member of the domain and have **network access** to domain controllers and the Internet. |
| **Registered domain** | A registered FQDN (e.g. `sso.mydomain.com`) with a valid SSL certificate. |
| **Authorized administrator** | Sign in with a Domain Administrator account, or a user in the `UserLock SSO Admins` AD group (create it if it doesn’t exist). |
| **Browsers** | Recent versions of Edge, Chrome, or Firefox with JavaScript and cookies enabled. |

## Step 1. Install the UserLock SSO service

You should install the SSO service **on a separate server** from the primary UserLock server.

This helps balance the load and keeps SSO web traffic separate from core UserLock operations.

1. Run the **UserLock installer**.
2. Choose **Custom setup**.
3. Add the **UserLockSSO **feature.
4. Unselect other features you do not need.
5. Complete the installation wizard.

![](https://a.storyblok.com/f/122374/495x376/4cef438977/install-shield-userlock-sso-en.png)

## Step 2. Configure your DNS

Correct DNS configuration is **required** for SSO to work correctly.
It ensures that both internal and external clients can resolve the SSO service hostname (for example, `sso.yourdomain.com`) and access it via HTTPS.

### External DNS Configuration

1. Create a **public DNS record** for your SSO hostname (e.g., `sso.yourdomain.com`) pointing to your organization’s **public IP address**.
2. Verify that port **443 (HTTPS)** is open and correctly routed to the SSO server.
3. Ensure that the **SSL certificate** used by the SSO service matches the chosen hostname.

### Internal DNS Configuration

1. On your internal DNS server, create an **A record** or **CNAME** for the same hostname (e.g., `sso.yourdomain.com`).
2. Point it to the **internal IP address** of the SSO server.
3. Ensure this record is reachable from all internal network clients.

> **Verification**
>
> Use `nslookup sso.yourdomain.com` from both internal and external networks to confirm that the hostname resolves correctly.
> 
> - Inside your corporate network, it should resolve to the **internal IP**.
> - From outside, it should resolve to the **public IP**.

## Step 3. Configure the UserLock SSO service

1. Launch the **UserLock Configuration Wizard.**
2. Proceed to the **Single Sign-On** step.
  ![](https://a.storyblok.com/f/122374/1235x832/44dca54530/sso-empty-configuration.png)
3. Configure the following settings:
  |  |  |
  | --- | --- |
  | SSO domain URL | Enter the registered domain (e.g. `https://sso.yourdomain.com`) |
  | Port | `443` (this port is customizable) |
  | SSL certificate | Select a valid `.pfx` certificate matching your registered domain. It must include a private key. |
  | SAML certificate lifetime | Defines how often the internal SAML certificate is renewed (between 2 months and 10 years). For details, see the [Certificate renewal](/userlock/docs/guides/sso/renew-saml-certificate) section. |
  | **Add service address to intranet zone** | Automatically adds the SSO address to the browser’s intranet zone to reduce login prompts. |
4. Once everything is configured, you can select **Continue**.
  ![](https://a.storyblok.com/f/122374/1236x833/3d1d184dcd/sso-service-started.png)

## Next steps

- [Configure an SSO Backup service](/userlock/docs/guides/sso/install-backup-sso-server) to prevent access loss.
- [Configure SSO for a SaaS application](/userlock/docs/guides/sso/configure-the-applications/) to protect your cloud services.
- [Apply MFA on SaaS connections](/userlock/docs/guides/mfa-implementation/mfa-for-sso) to require stronger authentication.
- [Hour restrictions](/userlock/docs/reference/access-policies/time-restriction): define when users are allowed to connect.
- [Geolocation rules](/userlock/docs/reference/access-policies/geolocation): enforce access policies based on user location.
- [Session limits](/userlock/docs/reference/access-policies/session-limit): allow or deny SaaS logins entirely for specific users.
