Notion provides Single Sign-On (SSO) functionality for enterprise customers to access it through a single authentication source, like Okta. This allows IT administrators to better manage team access and keeps information more secure.
We use SAML (Security Assertion Markup Language), a standard that permits identity managers like Okta to safely pass authorization credentials to service providers like Notion.
These are instructions for setting up Notion SAML SSO with Okta. If you use a different identity provider and need assistance with configuration, please contact our support team.
You can always follow steps on Okta's website here:
Create a new application integration
- Platform: select
Webfrom the dropdown.
- Sign on method: select
Create SAML integration
- App name:
- You can upload the logo in this zip file 👇
- Single sign on URL: found on the
Security & SAMLtab of
Settings & Membersin your left-hand sidebar.
- Audience URI:
- Name ID format: select
EmailAddressfrom the dropdown.
- Application username: select
- Update application username on: select
Create and Updatefrom the dropdown.
- Attribute statements (our recommended mapping):
- firstName → user.firstName
- lastName → user.lastName
- profilePhoto → user.profilePhoto profilePhoto
Assign users to Notion
Assignmentstab, you can now assign users to Notion. This is not necessary if you use Notion's Just-in-Time (JIT) provisioning by enabling
Automatically Create Accounts on Sign-in.
Email domains & metadata URL
- Navigate to
Settings & Membersin your sidebar, and select the
Security & SAMLtab. You should see this:
- Email Domains: please use the
Contact supportlink in the
Security & SAMLtab to configure the email domains you want to enable for SAML SSO.
- IDP Metadata URL: enter the URL provided by Okta here:
- Automatically create accounts on sign in: Enable if you want to allow all users who can sign in to automatically be added as paid members to your Notion workspace.
- Enable SAML: If you turn off this setting, team members will not be able to log in with SAML.
- Enforce SAML: Switching this on means users with email addresses on the configured domain can only sign in using SAML SSO. Notion administrators may still log in with email.
My organization uses an identity service provider (IDP) that's not Okta. Will it be supported?If your IDP provides a SAML metadata URL for dynamic configuration, you can follow the same setup steps as above. Please contact our support team for SAML configuration assistance for other IDPs.
How does Notion SAML SSO handle user provisioning?Notion offers Just-in-Time (JIT) provisioning if you enable
Automatically create accounts on sign inin your SAML SSO settings.Notion does not provide automatic deprovisioning at this time. This means that if you remove a member via your IDP, that user will also need to be removed in Notion via the
Settings & Membersin the left-hand sidebar.
Does enforcing SAML SSO log out users?No, active user sessions stay logged in until they expire. The next time a user needs to log in, they will need to log in with SAML SSO.
Does Notion SAML SSO support Single Logout?Not at this time. If Single Logout is important to you, please contact our support team to let us know.
Can I still log in to Notion if my identity provider is out of service?Yes, even with SAML enforced, Notion administrators have the option to log in with email. Thereafter, an administrator can change the SAML configuration to disable
Enforce SAMLso users may log in with email again.
What version of SAML does Notion support?We currently support SAML v2.0.
Something we didn't cover? Message us in the app by clicking
?at the bottom right on desktop (or in your sidebar on mobile). Or email us at email@example.com ✌️