# Single Sign-On **Single Sign-On** in Glaze is automatic team join by **email domain**. Once you verify that your team owns a domain like `yourcompany.com`, anyone who signs up to Glaze with an email on that domain joins your team automatically as a **member**. Set up is limited to a team's **owners** and **admins**, from the team's tab in **Settings**. ## Set Up 1. **Enable Single Sign-On**: In the team's tab in **Settings**, turn on **Enable Single Sign-On**. 2. **Enter your domain**: Type your company's email domain, such as `yourcompany.com`, in the **Single Sign-On Domain** field. When you confirm, Glaze opens the **Verify Domain** dialog so you can prove you own it. 3. **Add the DNS record**: Glaze gives you a value to publish as a DNS TXT record for your domain: ``` glaze-verify= ``` Copy it and add it as a TXT record with your DNS provider. 4. **Verify the domain**: Once the record has propagated, click **Verify Domain**. When it checks out, the domain gets a verified checkmark and SSO goes live. If Glaze can't find the record yet, it asks you to check the TXT record and try again, since DNS changes can take a little while to take effect. ## After Verification From then on, **new sign-ups on that domain join your team automatically** as members the moment they create their account. People who already have Glaze accounts aren't pulled in retroactively, so invite any existing teammates on Glaze using the **Invite** button under the **Members** section. > [!NOTE] > A domain can belong to **only one team**. If another team has already verified it, Glaze won't let you claim it. ## Change or Turn Off SSO - **Changing the domain** clears the previous verification, so you'll get a new token and need to verify the new domain before auto-join works again. - **Turning off Single Sign-On** stops new sign-ups on that domain from joining automatically. **Existing members stay on the team**. > [!WARNING] > This is domain-based auto-join, not SAML or SCIM, and it doesn't change how anyone signs in. Members still use Google, Apple, or an email code as usual. SSO only decides which team they land on. ### Will people who already have accounts get added? No. Auto-join applies to new sign-ups on your verified domain. Invite anyone who already has a Glaze account from the team's **Members** section. ### What role do people get when they join through SSO? They join as a **member**. Change role for anyone who needs to manage the team to admin afterward. See [Members & Roles](/team/members-and-roles). ### Can I use SSO without using DNS? No. Verifying ownership through a DNS TXT record is required, which is why setup is limited to owners and admins who can manage your domain's DNS. If you'd rather not verify a domain, invite people by email instead.