SAML SSO configuration

SAML SSO configuration - hero
In this Article

Notion provides Single Sign-On (SSO) functionality for enterprise customers to access the app through a single authentication source. This allows IT administrators to better manage team access and keeps information more secure 🔐

Jump to FAQs

Notion’s single sign-on (SSO) services are built upon the SAML (Security Assertion Markup Language) 2.0 standard that permits identity managers to safely pass authorization credentials to service providers like Notion and connect your Identity Provider (IdP) and workspace(s) for an easier, more secure login experience.

SSO services permit a user to use one set of credentials (for example, a name or email address and password) to access multiple applications. The service authenticates the end user only once for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session.

Prerequisites for SSO with Notion

  • Your workspace must be on an Enterprise plan

  • Your Identity Provider (IdP) must support the SAML 2.0 standard

  • Only a workspace owner can configure SAML SSO for a Notion workspace.

  • At least one domain has been verified by a Workspace owner.

  • No email domains are included in “Allowed Email Domain” setting.

Benefits of SSO

  • Streamlines user management across systems for workspace owners.

  • Removes the need for end-users to remember and manage multiple passwords. Simplifies end-users experience by allowing them to sign in at one single access point and enjoy a seamless experience across multiple applications.

Enable SAML SSO for a single workspace

  • Go to Settings & Members, then select the Settings tab.

  • In the Allow Email Domain section, remove all email domains.

  • Then select the Identity & Provisioning tab.

  • Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

  • The SAML SSO Configuration modal is divided into two parts:

    • The Assertion Consumer Service (ACS) URL is to be entered in your Identity Provider (IDP) portal

    • The Identity Provider Details is a field in which which either an IDP URL or IDP metadata XML must be provided to Notion.

For more information on where to enter and obtain this information, please refer to our IDP-specific guides below.

Note: Guests are not supported with SAML SSO on Notion.

From the workspace where you have verified your domain and enabled SAML SSO, there is a Linked Workspaces section listing all of the workspaces associated with your SAML SSO configuration.

Users with a verified email address who have access to the primary workspace or one of the linked workspaces will be able to log in via SAML SSO.

To add or remove a workspace from your SAML SSO configuration, please reach out to support at team@makenotion.com.

Enforce SAML SSO

Once you have completed your configuration of SAML SSO for a single workspace, users will be able to log in via SAML SSO in addition to other log-in methods such as username/password and Google Authentication.

  • To ensure users can only log in using SAML SSO and no other method, update the Login method to Only SAML SSO.

  • SAML SSO will only be enforced for users with your verified domain and who have access to the primary workspace or a linked workspace.

  • Guests invited to pages in a Notion workspace cannot use SAML SSO to login; therefore they will always use their e-mail/password or the “continue with Google/Apple” options to login.

  • Workspace owners will always have the option to bypass SAML SSO by using their email and password credentials. This is to allow them to access Notion in the event of IdP/SAML failure. They will be able to log in and disable or update their configuration.

Notion supports Just-in-Time provisioning when using SAML SSO. This allows someone signing in via SAML SSO to join the workspace automatically as a member.

To enable Just-in-Time provisioning:

  • In Settings & members -> Settings, make sure your SAML domain is added as an allowed email domain.

  • In Settings & members -> Identity & provisioning, make sure that Automatic account creation is enabled.

Note: Just-in-Time provisioning is not recommended if you are adding guests with the same email domain to pages in your workspace. This will upgrade any guests to members which will impact your billing.

We don’t recommend enabling Just-in Time provisioning if you are using SCIM. Having an “allowed email domain” in place allows users on that domain to join the workspace so there could be a mismatch between membership in their Identity Providers and Notion.

These are instructions for setting up Notion SAML SSO with Azure, Google, Okta, and OneLogin. If you use a different Identity Provider and need assistance with configuration, please contact our support team.

Azure

For additional documentation, you can also reference steps on Azure's website here:

Step 1: Create a new application integration

  • Sign in to the Azure portal. On the left navigation pane, select the Azure Active Directory service.

  • Navigate to Enterprise Applications and then select All Applications.

  • To add a new application, select New application.

  • In the Add from the gallery section, type Notion in the search box. Select Notion from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Step 2: Create SAML Integration

  • In the Azure portal, on the Notion application integration page, find the Manage section and select single sign-on.

  • On the Select a single sign-on method page, select SAML.

Step 3: SAML Settings

  • In Notion, go to the Settings and Members tab, then select the Settings tab

  • In the Allow Email Domain section, remove all email domains.

  • Then select the Identity & Provisioning tab.

  • Verify one or more domains. See instructions for domain verification here →

  • Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

  • The SAML SSO Configuration modal is divided into two parts — one section is the Assertion Consumer Service (ACS) URL to be entered in your Identity Provider (IDP) portal and the second section is Identity Provider Details in which either IDP url or IDP metadata XML that must be provided to Notion.

Step 4: Configure Notion app in Azure Active Directory

  • On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

  • On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, enter the values for the following fields:

    • In the Identifier (Entity ID) text box, enter the following URL: https://www.notion.so/sso/saml

    • In the Reply URL (Assertion Consumer Service URL) text box, use the ACS URL from Notion, found on the Identity & Provisioning tab of Settings & members in your left-hand sidebar

    • In the Sign on URL text box, enter the following URL: https://www.notion.so/login

  • In the User Attributes & Claims section, ensure the required claim are set to

    • Unique User Identifier (Name ID): user.userprincipalname [nameid-format:emailAddress]

    • firstName: user.givenname

    • lastName: user.surname

    • email: user.mail

  • On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, click the copy button next to the App Federation Metadata Url.

  • Go to your Notion workspace Settings & Members > Identity & Provisioning, and paste the App Federation Metadata Url value you copied into the IDP metadata URL field text box. Make sure the radio button Identity Provider URL is selected

Step 5: Assign users to Notion

  • In the Azure portal, select Enterprise Applications, and then select All applications. In the applications list, select Notion.

  • In the app's overview page, find the Manage section and select Users and groups.

  • Select Add user, then select Users and groups in the Add Assignment dialog.

  • In the Users and groups dialog, select from the Users list, then click the Select button at the bottom of the screen.

  • If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.

  • In the Add Assignment dialog, click the Assign button.


Google

For additional documentation, you can also reference steps on Google's website here:

Step 1: Create a new application integration

  • Sign in to your Admin counsel at  https://admin.google.com/. Make sure you're using an account with super administrative privileges!

  • From the Admin console Home page, go to 

    Apps > Web and mobile apps.

  • Click Add App > Add private SAML app.

  • On the App Details page, enter the name of the custom app.

  • Click Continue.

  • In the Google Identity Provider details page, download the IdP metadata. Open the downloaded GoogleIDPMetadata.xml file and copy its contents.

Step 2: Configure SAML Settings in Notion

  • In Notion, go to the Settings and Members tab, then select the Settings tab

  • In the Allow Email Domain section, remove all email domains.

  • Then select the Identity & Provisioning tab.

  • Verify one or more domains. See instructions for domain verification here→ Verify a domain for your workspace

  • Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

  • The SAML SSO Configuration modal is divided into two parts — one section is the Assertion Consumer Service (ACS) URL to be entered in your Identity Provider (IDP) portal and the second section is Identity Provider Details in which either IDP url or IDP metadata XML that must be provided to Notion.

  • Paste the copied contents from the GoogleIDPMetadata.xml file downloaded in Step 1 above into the IDP metadata XML text box.

  • Copy the Assertion Consumer Service (ACS) URL, and click Enable SAML.

Step 3: Configure SAML Settings in Google Workspace

  • In the Google Workspace Admin Console, click 

    Continue.

  • In the Service Provider Details page, enter the Assertion Consumer Service (ACS) URL copied from Notion in Step 2 above and enter https://www.notion.so/sso/saml in the Entity ID text box.

  • In the Name ID format dropdown, select EMAIL.

  • In the Name ID dropdown, select Basic Information > Primary email

  • Click Continue to the App Attributes page where you can map additional attributes or configure group memberships as optional steps.

  • Click Finish to complete the setup.


Okta

For additional documentation, you can also reference steps on Okta's website here:

Step 1: Add the Notion app from Okta's application directory

  • Log in to Okta as an administrator, and go to the Okta Admin console

  • Go to the Application tab, select Browse App Catalog and search for "Notion" in the Okta app catalog.

  • Select the Notion app and click Add integration.

  • In the General Settings view, review the settings and click Next.

  • In the Sign-on Options view, select the SAML 2.0 option.

  • Above the Advanced Sign-on Settings section, click on the Identity Provider metadata. This will open a new browser tab. Copy the link of the url.

Step 2: Configure SAML settings in Notion

  • In Notion, go to the Settings and Members tab, then select the Settings tab

  • In the Allow Email Domain section, remove all email domains.

  • Then select the Identity & Provisioning tab.

  • Verify one or more domains. See instructions for domain verification here→ Verify a domain for your workspace

  • Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

  • The SAML SSO Configuration modal is divided into two parts — one section is the Assertion Consumer Service (ACS) URL to be entered in your Identity Provider (IDP) portal and the second section is Identity Provider Details in which either IDP url or IDP metadata XML that must be provided to Notion.

    • Choose the Identity Provider URL, and paste the Identity Provider metadata URL you copied in Step 1. Click Save changes.

  • In the Identity & Provisioning tab, scroll down and copy the Workspace ID identifier

  • In Okta Admin console > Advanced Sign-on Settings section, paste the Workspace ID in the Organization ID text box

  • In Credentials details, select Email from Application username format dropdown, and click Done.

Step 3: Assign users and groups to Notion

  • In Okta > Assignments tab, you can now assign users and groups to Notion.


OneLogin

For additional documentation, you can also reference steps on OneLogin’s website here:

Step 1: Create new application integration

  • If you have not already configured provisioning, go to Administration → Applications → Applications, then click the Add App button, search for Notion in the search box, and select the SAML 2.0 version of Notion.

  • Click Save.

Step 2: Create SAML integration

  • Otherwise, navigate to Applications → Applications and select the Notion app connector you already added

  • Navigate to the SSO tab and copy the Issuer URL value. Paste it somewhere to be retrieved later.

Step 3: SAML settings

  • In Notion, go to the Settings and Members tab, then select the Settings tab

  • In the Allow Email Domain section, remove all email domains.

  • Then select the Identity & Provisioning tab.

  • Verify one or more domains. See instructions for domain verification here → Verify a domain for your workspace

  • Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

  • The SAML SSO Configuration modal is divided into two parts — one section is the Assertion Consumer Service (ACS) URL to be entered in your Identity Provider (IDP) portal and the second section is Identity Provider Details in which either IDP url or IDP metadata XML that must be provided to Notion.

Step 4: Configure Notion app in OneLogin

  • Copy Assertion Consumer Service (ACS) URL from Notion

  • Go back to the OneLogin Administration UI

  • Navigate to the Configuration tab of the Notion app connector your just added to your OneLogin account

  • Paste the Assertion Consumer Service (ACS) URL from Notion into the Consumer URL textbox

  • Click Save

  • Go back to the Notion Edit SAML SSO configuration settings

  • Paste the Issuer URL you copied from the SSO tab in OneLogin URL into the Identity Provider URL textbox. Make sure the radio button Identity Provider URL is selected

If you encounter errors when setting up SAML SSO, check to make sure your IDP's metadata, SAML requests and responses are valid XML against the SAML XSD schemas. You can do so using this online tool: https://www.samltool.com/validate_xml.php

Note that we do not support the EntitiesDescriptor element. If your IDP's metadata contains this element, extract the contained EntityDescriptor element and try again.


FAQs

Why is the current Enable SAML SSO greyed out?

Why can’t I edit the SAML SSO settings?

The most common reason is that you are trying to modify the verified domains or SSO configuration from a linked workspace which is a workspace that is already associated with another SSO configuration.

In linked workspaces, all domain management and SSO configuration settings are read-only. To modify the SSO configuration or remove this workspace from the SSO configuration, you must have access to the primary workspace. The name of the primary workspace can be found at the top of the Identity & Provisioning settings tab.

Why do I need to verify a domain to enable SSO?

We ask that the email domain ownership is validated to ensure that only the owner of the domain can customize how their users log into Notion.

Having trouble setting up SSO? Here are some common issues:

  • Try using a URL instead of an XML.

  • We recommend testing the setup process with a test account before enforcing it for users.

  • If neither of these options help, reach out to support at

Why should I remove email domains from the “Allowed Email Domains” setting before configuring SAML SSO for my workspace?

The “Allowed Email Domain” setting allows users with the selected domains to access your workspace without being provisioned via your IdP. To ensure that only users provisioned via your IdP can access your SAML-enabled workspace, disable this feature by removing all email addresses from the “Allowed Email Domain” list.

Can I still log in to Notion if my identity provider is out of service?

Yes, even with SAML enforced, Workspace owners have the option to log in with email. Thereafter, a Workspace owner can change the SAML configuration to disable Enforce SAML so users may log in with email again.

Are profile photos transmitted to Notion from the IDP?

Yes, profilePhoto is an optional custom attribute. You may assign this attribute to a corresponding attribute in your IDP, provided the attribute contains the URL to an image. If the profilePhoto field is set, this image will replace the avatar in Notion when the user signs in using SAML SSO.

How do I allow admins of other workspaces in my SAML configuration create new workspaces?

Only the admins of your primary workspace will be able to create new workspaces using your verified domain(s). Please reach out to our support team (team@makenotion.com) to switch your primary SAML workspace to another linked workspace in your SAML configuration.

Still have more questions? Message support

Give Feedback

Was this resource helpful?