# How Pump handles SSO Here are steps to successfully setting up SSO *** **Before the call (\~5 minutes):** 1. Customer provides Pump with an email address to use for the root-user of the delegated administrator account, and the region they would like SSO set up in. 2. Pump provisions an organization with the delegated admin account and SSO enabled in specified region. 3. Customer logs in to the delegated admin account with the email provided, and does a ‘forgot my password’ process to set a password. **On the call with Pump Solutions Architect (30-45 minute call):** 1. While screen-sharing, customer logs into their current management account and runs an export script in IAM Identity Center to download their current users, groups, and permissions. 2. Customer logs into the new, delegated administrator account and runs an import script to upload their users, groups, and permissions into the new organization. 3. If using a third party, customer creates a new application that links to the new IAM Identity Center. 4. Customer tests SSO access. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.pump.co/aws-joining-pump/aws-multi-account-architecture/how-pump-handles-sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.