> ## Documentation Index
> Fetch the complete documentation index at: https://lightdash-mintlify-cccf65ca.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Verified domains

> Prove ownership of your organization's domains to control SSO routing in Lightdash.

<CardGroup cols={2}>
  <Card title="Cloud Pro" icon="rocket" horizontal />

  <Card title="Cloud Enterprise" icon="rocket" horizontal />
</CardGroup>

<Info>
  Verified domains are part of per-organization SSO settings. Contact the Lightdash team if you don't see the **Verified domains** panel in your settings.
</Info>

## What are verified domains?

A verified domain is a domain your organization has proven it owns by receiving a one-time passcode at an email address on that domain.

Verified domains are the source of truth for **SSO routing**: when a user signs in with an email on a verified domain, Lightdash sends them to the SSO provider you've configured for your organization. Only one organization can hold a verified domain at a time — verification is first-come, first-served.

Use verified domains when you want to:

* Route users on your domain to your organization's SSO provider.
* Restrict an individual SSO method (Google, Okta, Azure AD, OneLogin, Generic OIDC) to a subset of your organization's domains.

<Note>
  Verified domains control **SSO routing only**. They are separate from [allowed email domains](/get-started/setup-lightdash/invite-new-users), which control which users can auto-join your organization.
</Note>

## Verify a domain

You must be an organization admin to verify a domain.

1. In your Lightdash instance, click your initials at the top right and select **Organization settings**.
2. Open the **Verified domains** panel.
3. Click **Add domain**, then select **Email**.
4. Enter an email address on the domain you want to verify (for example, `admin@yourcompany.com`). Public email providers like `gmail.com` or `outlook.com` aren't accepted.
5. Click **Send code**. Lightdash emails a 6-digit one-time passcode to that address.
6. Enter the code before the on-screen timer expires. If the code expires or you exceed the attempt limit, request a new one.

Once verified, the domain appears in the list with a **Verified** badge.

## Remove a verified domain

In the **Verified domains** panel, click **Remove** next to the domain. Removing a verified domain stops Lightdash from routing that domain's users to your SSO providers and frees the domain so another organization can claim it.

<Warning>
  If an SSO method is configured to route only a subset of verified domains (see below), removing the underlying verified domain also removes it from that subset.
</Warning>

## Routing SSO methods to verified domains

Each SSO method in your organization (Google, Okta, Azure AD, OneLogin, Generic OIDC) routes users by email domain.

In the SSO method's settings panel:

* Leave **Override organization domains** off to route **all** of your organization's verified domains to this method. This is the default and works for most setups.
* Turn **Override organization domains** on to restrict this method to a **subset** of your verified domains. You can only select domains that are already verified.

If you don't have any verified domains yet, the override field links you back to the **Verified domains** panel.

## Related resources

* [SSO providers](/references/workspace/sso-providers)
* [Self-hosted SSO configuration](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash)
* [Allowing users to auto-join your organization](/get-started/setup-lightdash/invite-new-users)