> ## Documentation Index > Fetch the complete documentation index at: https://docs-dev-fix-docs-5525.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. > Configure security policies for an Auth0 Team to enforce MFA, session, and IP allowlist requirements across team members. # Configure Security Policies This feature is offered as Early Access to Public Cloud Enterprise tenants and as a Beta release to Private Cloud Enterprise tenants. By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal/). To learn more about Auth0’s release stages, read [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages). Security policies allow [team owners](/docs/get-started/auth0-teams/team-member-management) to configure and implement authentication rules that adhere to your organization's IT security policies for access to infrastructure systems or applications. ## Available Enterprise IdP Connections Auth0 Teams allows you to connect to your identity provider (IdP) to provide single-sign on (SSO) for team members. ### Add SSO connection (Beta) You can configure an SSO connection in the Auth0 Teams Dashboard. Before you add an SSO connection, you need to collect the following information: * Your IdP provider (for example: Okta, ADFS, or Google Workspace) * Your IdP domain * Auth0 Callback URL (`https://auth0.auth0.com/login/callback`) * Your Client ID, Client Secret, Sign-in URL, and Signing Certificate (depending on your IdP) 1. Go to [**Security**](https://accounts.auth0.com/teams/#/security-policies). 2. Select + **Add Connection (Beta)**, and then select **Get Started**. 3. Choose an identity provider, and then select **Next**. 4. Follow the instructions to create an application, and then select **Next**. 5. Configure your connection, then select **Create Connection**. 6. Read the prompt, then select **Proceed**. 7. Follow the instructions to grant users and groups access, and then select **Next**. 8. Select **Test Connection** to verify that your connection is configured properly. 9. When ready, select **Enable Connection**. After you enable your connection, it appears in the **Available Enterprise IdP Connections** section of the **Security Policies** page. ### Configure just-in-time (JIT) provisioning JIT provisioning enables Auth0 to automatically create an account for team members who log in through an SSO connection. You must enable [Tenant Member Management](/docs/get-started/auth0-teams/tenant-member-management) to configure JIT provisioning. 1. Go to [Security](https://accounts.auth0.com/teams/#/security-policies). 2. Locate the **Available Enterprise IdP Connections** section. 3. Enable the **JIT Membership** toggle for the connection. ## Enforce Single Sign On Auth0 Teams allows you to require team members to log in through one of your **Available Enterprise IdP Connections**. To enforce SSO, you must be logged in through an SSO connection and have the **Team Owner** role. If you are not logged in through an SSO connection, but you have one configured, you can [invite yourself to your Auth0 Team](/docs/get-started/auth0-teams/team-member-management) on that connection. ### Use JIT provisioning This method allows team members to log in to the SSO connection immediately after it's enabled, and instructs Auth0 to automatically create an account for them after the first time they log in successfully. 1. Enable [Tenant Member Management](/docs/get-started/auth0-teams/tenant-member-management). 2. Enable the **JIT Membership** toggle for the SSO connection. 3. Go to the Teams Dashboard’s Settings page and note your team's permalink value. 4. Instruct all team members to log out of the Auth0 Teams Dashboard and log in via the SSO connection. The URL structure for the team members to follow is `https://accounts.auth0.com/teams/{team-permalink}`. 5. Auth0 automatically creates a new account (on the SSO connection) for each team member. 6. Assign each team member's new account the same [team role](/docs/get-started/auth0-teams/team-member-management) as their old account. 7. (Optional) Delete each team member's old account. ### Manage team and tenant membership manually This method allows you to manage team members separately from tenant members. For team members, [send a new invitation from the Teams Dashboard](/docs/get-started/auth0-teams/team-member-management) and instruct them to accept the invitation using the SSO connection. For tenant members, [send a new invitation from the Auth0 Dashboard](/docs/get-started/manage-dashboard-access/add-dashboard-users) from each tenant they're a member of and instruct them to accept the invitation using the SSO connection. After accepting the invitation, Private Cloud Enterprise customers that enforce SSO and/or use Tenant Member Management can click the **Continue with Auth0 Teams** login button in their Private Cloud Auth0 Dashboard. ### Configure home-realm discovery (HRD) If you enable HRD, Auth0 recognizes the domain of the email address a team member enters and directs them to the associated SSO connection. Before you enable HRD, make sure your team members are prepared! If you're using Team Member Management and JIT provisioning, notify your team members of the new behavior. If you're managing team membership manually, ensure all team members have an account on the associated SSO connection and they know how to log in. 1. [Open a ticket](https://support.auth0.com) with Auth0 Support. 2. Let them know you'd like to enable HRD for an Auth0 Teams SSO connection, and provide the following information: * Your **Team Name** and **Team Permalink** * The name of the SSO connection * The domain associated with the SSO connection