# Enabling Single Sign-On (SSO) for Employees
To allow employees to use the SSO service, follow these steps:
### **1. Order Licenses**
Ensure that you have an active [license](https://enterprise.hideez.com/hideez-enterprise-server/single-sign-on-settings/how-to-get-employee-licenses) for each employee who needs access to the Hideez Enterprise Server (HES) and SSO functionality.
### **2. Assign SSO Permissions**
By default, employee accounts do not have access to the SSO service. This access must be explicitly granted by an administrator.\
You can [enable](https://enterprise.hideez.com/employees/how-to-add-an-employee#the-single-sign-on-page-optional) SSO either when creating a new employee or by editing an existing one:
* **For New Employees**: Enable the "Enable SSO" option during the employee creation process.
* **For Existing Employees**:
* Go to the **Employees** section.
* Select the employee.
* Click **Edit**.
* On the opened page, click the **Enable SSO** button to grant access.
### **3. Enable Authentication Methods**
* To enable passwordless authentication, check the **"Passwordless Authentication"** checkbox.
* To enable two-factor authentication (2FA), check the **"Use Two-Factor Authentication"** checkbox.
{% hint style="info" %}
**NoNote:** A valid email address is required to activate SSO for the employee.
{% endhint %}
### Advanced Settings
If **External ID** is used as the **Name Identifier Field** in your SAML configuration, you must manually populate the External ID for each employee.
To do this:
1. Go to **Employees**.
2. Select an employee.
3. Click **Details**.
4. Navigate to the **Single Sign-On** section.
5. Click **Edit settings**.
6. Enter the **External ID** value and save the changes.
