# Profile & Login Manage your 2FA settings, multiple account logins, and SSO configuration. ## Two-factor authentication 2FA is always required for all users when accessing Tray. By default, email-based 2FA is enforced on every login — a one-time code is sent which must be entered to complete authentication. Users can configure TOTP-based 2FA as an alternative to email, using apps like Google Authenticator or Authy. To enable, go to **Profile settings** > **2FA** and follow the prompts. You will need your password and your authenticator app to scan the QR code. For organisations with specific 2FA requirements, SSO should be used so that 2FA can be managed at your Identity Provider. When SSO is enforced, email 2FA will not trigger. If SSO is enabled but not enforced, email 2FA will still apply. ## Managing multiple logins You can be signed into multiple Tray accounts at once, allowing you to switch between them quickly. ![multiple-accounts-completed](https://tray.ai/documentation/images/platform/enterprise-core/organisation-management/users/profile-login/6gfWJ0zlPCSMsyiKosYCh4_Profile%20_%20login%20management.png) ### Adding accounts 1. Click on your profile and select **Add another account** 2. Log in with the additional account credentials ### Notes * Logging out of one account logs you out of all accounts * You cannot use multiple accounts across different browser tabs simultaneously ## Single Sign-On SSO is available on Enterprise plans or as an add-on. It can be configured with any SAML 2.0 compatible Identity Provider (e.g. Okta, OneLogin, Duo). Tray also has connectors for various SSO providers (e.g. [Okta](https://tray.ai/documentation/connectors/service/okta/), [OneLogin](https://tray.ai/documentation/connectors/service/onelogin/)) or you can use the [HTTP Client](https://tray.ai/documentation/connectors/core/http-client) to improve your provisioning automations. ### Setup To configure SSO for your organisation, open a support ticket from the app and select **SSO Enablement**. The relevant setup information will then be shared. SSO is initially enabled as optional, allowing you to test before enforcing. Once enforced, it applies to all users in your organisation. ### Notes * **Just-In-Time provisioning** — new users logging in via SSO are automatically provisioned with the Org Contributor role. * **Domain-based redirection** (optional) — automatically redirects users to your Identity Provider when they enter their email on the login page. This won't work if you have multiple organisations on the same domain. * **SSO and 2FA** — when SSO is enforced, email 2FA will not trigger; 2FA should be managed at your Identity Provider. If SSO is enabled but not enforced, email 2FA will still apply. ### Instructions for individual SSO providers ### Okta Below is a summary of setup instructions for Okta users. ### 1 - Create Okta SAML app Users will first will **need to create an Okta SAML application**, as per the [Okta](https://developer.okta.com/docs/guides/saml-application-setup/overview/) setup guide instructions. Choose your **App name**. ### 2 - Replace your Org ID Anywhere you see \*\*organisation\_id \*\*below, please replace **organisation\_id** with the `organisation_id` of your company. Continue setup with the following values updated as demonstrated below: * **Single sign-on URL**: `https://sso.tray.io/login/callback?connection=organisation_id` > **Info:** use the correct base URL depending on your region:* US: `https://`**`sso.tray.io`**`/login/callback?connection={organisation_id}` > * EU: `https://`**`sso.eu1.tray.io`**`/login/callback?connection={organisation_id}` > * AP: `https://`**`sso.ap1.tray.io`**`/login/callback?connection={organisation_id}` * **Audience URI ( SP entity ID)**: urn:auth0:trayio:organisation\_id * **Default relay state**: * **Name ID format**: Unspecified * **Application username**: Okta username ### 3 - Update your Attribute elements In the **Attribute statements** section, add the following two attributes: First attribute: * **Name:** `email` * **NameFormat:** `unspecified`  * **Value** *select* `user.email` from the dropdown options Second attribute: * **Name:** `name`  * **NameFormat:** `unspecified` * **Value** *select* `user.firstName` from the dropdown options ### 4 - Provide Tray with your details Once the above is set, you will need to provide Tray.io with the following information (available from the Okta admin interface): * **IdP single sign-on URL** * **X509 signing certificate** Following completion of the above your setup should be complete.