> ## Documentation Index
> Fetch the complete documentation index at: https://docs.abbyy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication using an External Identity Provider

> How users sign in to ABBYY Vantage when the tenant is configured with an External Identity Provider, plus the SAML 2.0 authentication workflow under the hood.

When your tenant is configured with an External Identity Provider, users don't sign in with a Vantage password — they authenticate with the provider, and Vantage grants access based on the provider's confirmation.

## Sign in via an External Identity Provider

<Steps>
  <Step title="Enter your corporate email">
    On the Vantage sign-in page, enter your email in the **Corporate email** field. Vantage redirects you to the Identity Provider's sign-in page.
  </Step>

  <Step title="Authenticate with the Identity Provider">
    Enter your username (or email) and password for the External Identity Provider. After a successful sign-in, Vantage redirects you back.
  </Step>
</Steps>

<Note>
  If your email is registered in multiple tenants configured with the same Identity Provider, Vantage prompts you to choose the tenant you want to sign in to.
</Note>

## Authentication workflow with SAML assertions

The SAML 2.0 standard secures communication between Vantage (the service provider) and the External Identity Provider. Vantage uses SAML assertions to exchange authentication data with a SAML 2.0 External Identity Provider.

Under the hood, a SAML sign-in looks like this:

1. The user requests access to Vantage.
2. Vantage generates a SAML assertion, sends it to the External Identity Provider (via **POST** or **GET**), and redirects the user to the provider's sign-in page.
3. The user authenticates with the External Identity Provider.
4. The External Identity Provider generates a signed assertion and token.
5. The provider forwards the signed assertion and token back to Vantage (via **POST** or **GET**). If valid, Vantage establishes a session.

Once a session is established, the user can request additional Vantage resources without re-authenticating with the External Identity Provider for every request.

## Related topics

<CardGroup cols={2}>
  <Card title="Authentication" icon="key" href="/vantage/documentation/tenant-admin/tenant-management/authentication">
    Sign-in flows for Vantage tenants
  </Card>

  <Card title="Setting up an External Identity Provider" icon="shield-halved" href="/vantage/documentation/tenant-admin/tenant-management/external-identity-provider">
    Overview of OAuth 2.0 and SAML 2.0 provider setup
  </Card>

  <Card title="Setting up an External Identity Provider for a tenant" icon="sliders" href="/vantage/documentation/tenant-admin/tenant-management/configuring-tenant">
    Apply the External Identity Provider to your tenant
  </Card>

  <Card title="Tenant login URL" icon="link" href="/vantage/documentation/tenant-admin/tenant-management/tenant-login-url">
    Tenant-specific sign-in URLs
  </Card>
</CardGroup>