SAML SSO configuration

SAML SSO configuration - hero
In this Article

Notion provides Single Sign-On (SSO) functionality for enterprise customers to access the app through a single authentication source. This allows IT administrators to better manage team access and keeps information more secure šŸ”

Jump to FAQs

We use SAML (Security Assertion Markup Language), a standard that permits identity managers to safely pass authorization credentials to service providers like Notion.

Note: SAML SSO is only available for workspaces on Notion's Enterprise Plan. Contact sales to learn more ā†’

  • Navigate to Settings & Members in your sidebar, and select the Security & identity tab. Scroll down to the SAML single sign-on section.

  • Email domains: Configure the email domains you want to enable for SAML SSO. Detailed instructions below.

  • Single sign-on URL: Copy this to use when setting up your Identity Provider (IDP).

  • IDP metadata URL/XML: enter the URL or XML provided by your Identity Provider (IDP) here.

You can configure your email domains for SAML SSO by first verifying that you own the domains. You must have at least one verified domain in order to enable SAML SSO with Notion.

You must verify a domain within 1 week of adding the domain. After a week, the verification code expires and the domain needs to be re-added in the UI.

Step 1: Add a new domain

  • Within the SAML single sign-on section, click theĀ Add domainĀ button.

  • Type in the domain that you wish to verify and click theĀ NextĀ button.

Note: We donā€™t support verifying subdomains for SAML SSO.

Step 2: Verify your domain

  • Follow the instructions for how to verify your domain with Notion:

    1. Navigate to the DNS record section of your domain host.

    2. Create a new TXT record and paste in the code above as the value.

    3. Typically, this change takes only minutes to occur. However, there are cases where it may take up to 72 hours for the DNS record to propagate.

    4. ClickĀ VerifyĀ to notify Notion to check your DNS record.

    5. After successfully verifying your domain, you can remove the TXT record from your domain.

  • Once youā€™ve successfully verified the domain, youā€™ll receive a message telling you thatĀ it was verified.

  • Once you enable SAML, anyone using an email address with the email domain youā€™ve verified will be able to log in using SAML SSO.

These are instructions for setting up Notion SAML SSO with Azure, Google, and Okta. If you use a different Identity Provider and need assistance with configuration, please contact our support team.

Azure

For additional documentation, you can also reference steps on Azure's website here:

Step 1: Create a new application integration

  • Sign in to the Azure portal. On the left navigation pane, select theĀ Azure Active DirectoryĀ service.

  • Navigate toĀ Enterprise ApplicationsĀ and then selectĀ All Applications.

  • To add new application, selectĀ New application.

  • In theĀ Add from the galleryĀ section, typeĀ NotionĀ in the search box. SelectĀ NotionĀ from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Step 2: Create SAML Integration

  • In the Azure portal, on theĀ NotionĀ application integration page, find theĀ ManageĀ section and selectĀ single sign-on.

  • On theĀ Select a single sign-on methodĀ page, selectĀ SAML.

Step 3: SAML Settings

  • On theĀ Set up single sign-on with SAMLĀ page, click the pencil icon forĀ Basic SAML ConfigurationĀ to edit the settings.

  • On theĀ Basic SAML ConfigurationĀ section, if you wish to configure the application inĀ IDPĀ initiated mode, enter the values for the following fields:

    • In theĀ Reply URLĀ text box, use the SSO URL from Notion, found on the Security & identity tab of Settings & members in your left-hand sidebar

  • ClickĀ Set additional URLsĀ and perform the following step if you wish to configure the application inĀ SPĀ initiated mode:

    • In theĀ Sign-on URLĀ text box,Ā enterĀ the followingĀ URL:Ā https://www.notion.so/login

  • In the User Attributes & Claims section, set the following User Attributes to their corresponding source attribute:

    • Name: Source Attribute

    • email: user.mail

    • firstName: user.givenname

    • lastName: user.surname

  • On theĀ Set up single sign-on with SAMLĀ page, In theĀ SAML Signing CertificateĀ section, click copy button to copyĀ App Federation Metadata Url.

  • Go to your Notion workspace Settings & Members > Security & identity, and paste the value you copied into the IDP metadata URL field.

Step 4: Assign users to Notion

  • In the Azure portal, selectĀ Enterprise Applications, and then selectĀ All applications. In the applications list, selectĀ Notion.

  • In the app's overview page, find theĀ ManageĀ section and selectĀ Users and groups.

  • SelectĀ Add user, then selectĀ Users and groupsĀ in theĀ Add AssignmentĀ dialog.

  • In theĀ Users and groupsĀ dialog, selectĀ from the Users list, then click theĀ SelectĀ button at the bottom of the screen.

  • If you are expecting a role to be assigned to the users, you can select it from theĀ Select a roleĀ dropdown. If no role has been set up for this app, you see "Default Access" role selected.

  • In theĀ Add AssignmentĀ dialog, click theĀ AssignĀ button.


Google

For additional documentation, you can also reference steps on Google's website here:

Step 1: Create a new application integration

  • Sign in to your Admin counsel at Ā https://admin.google.com/. Make sure you're using an account withĀ super administrative privileges!

  • From the Admin console Home page, go toĀ 

    Apps > Web and mobile apps.

  • ClickĀ Add App > Add private SAML app.

  • On theĀ App DetailsĀ page, enter the name of the custom app.

  • ClickĀ Continue.

Step 2: Create SAML Integration

  • On the Google Identity Provider details page, copy the link to IDP metadata and enter it in Notion in the field IDP metadata URL.

    • Alternatively, download theĀ IDP metadata and copy the contents of this file to Notion in the field IDP metadata XML.

  • ClickĀ Continue.

Step 3: SAML Settings

  • In the Service Provider Details window, enter theĀ ACS URL andĀ Entity IDĀ for your Notion app.

    • For the ACS URL, use the Single Sign-On URL found on theĀ Security & identity tab ofĀ Settings & membersĀ in your left hand sidebar.

    • For the Entity ID, useĀ https://www.notion.so/sso/saml

  • The default Name ID is the primary email.

  • ClickĀ Continue to add App Attributes.

    • On theĀ Attribute mappingĀ page, clickĀ 

      Add another mappingĀ to map additional attributes.


Okta

For additional documentation, you can also reference steps on Okta's website here:

Step 1: Add the Notion app from Okta's application directory

  • Log in to Okta as an administrator, and go to the Okta Admin console, select Classic UI from the dropdown in the top menu bar.

  • Go to Application > Add Application and search for "Notion" in the Okta app directory.

  • Select the Notion app and click Add.

Step 2: Configure the Notion Application

  • Review general settings (it's unlikely you'll need to change these) and click Next.

  • Select SAML 2.0

  • Optional: Click View Setup Instructions for Okta's version of this documentation.

  • Fill in the Organization ID.

    • Go to the Security & identity tab of Settings & members in your left-hand sidebar.

    • Copy the last part of the Single Sign-On URL, it's a set of alphanumeric characters with dashes xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and enter that as the Organization ID. Do not copy the entire URL.

    • Paste the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ID you copied into the Organization ID field in Okta.

    • Click Done.

Step 3: Assign users and groups to Notion

  • In Okta's Assignments tab, you can now assign users and groups to Notion.


Once you've configured SAML SSO for Notion and your IDP, you can further customize the following settings:

  • Automatically create accounts on sign in: Enable if you want to allow all users who can sign in to automatically be added as paid members to your Notion workspace.

    • Make sure your SAML email domains are also listed in Allowed email domains under Settings.

  • Enable SAML: Turning on this setting will allow users with configured domains to log in with SAML SSO. They will still be able to log in with other methods as well.

  • Enforce SAML: Switching this on means users with email addresses on the configured domain can only sign in using SAML SSO. Notion administrators may still log in with email.

If you encounter errors when setting up SAML SSO, check to make sure your IDP's metadata, SAML requests and responses are valid XML against the SAML XSD schemas. You can do so using this online tool: https://www.samltool.com/validate_xml.php

Note that we do not support the EntitiesDescriptor element. If your IDP's metadata contains this element, extract the contained EntityDescriptor element and try again.


FAQs

Why is the current Enable SAML SSO greyed out?

The most common reason is that you have not yet verified ownership of a domain. If this is the case, you will notice that you either donā€™t have any domains listed in the verify email domain section or the domain is pending verification.

For next steps, refer to our instructions on how to complete domain verification here ā†’

Why canā€™t I edit the SAML SSO settings?

The most common reason is that you are trying to modify the verified domains or SSO configuration from a linked workspace which is a workspace that is already associated with another SSO configuration.

In linked workspaces, all domain management and SSO configuration settings are read-only. To modify the SSO configuration or remove this workspace from the SSO configuration, you must have access to the primary workspace. The name of the primary workspace can be found at the top of the Identity & Provisioning settings tab.

Does enforcing SAML SSO log out users?

No, active user sessions stay logged in until they expire. The next time a user needs to log in, they will need to log in with SAML SSO.

Does Notion SAML SSO support Single Logout?

Not at this time. If Single Logout is important to you, please contact our support team to let us know.

Can I still log in to Notion if my identity provider is out of service?

Yes, even with SAML enforced, Notion administrators have the option to log in with email. Thereafter, an administrator can change the SAML configuration to disable Enforce SAML so users may log in with email again.

Are profile photos transmitted to Notion from the IDP?

Yes, profilePhoto is an optional custom attribute. You may assign this attribute to a corresponding attribute in your IDP, provided the attribute contains the URL to an image. If the profilePhoto field is set, this image will replace the avatar in Notion when the user signs in using SAML SSO.

Still have more questions? Send us a message

Give Feedback

Was this resource helpful?


Up Next

Provision users & groups with SCIM

You can provision and manage users and groups in your Notion workspace with the System for Cross-domain Identity Management (SCIM) API standard šŸ”‘