SAML SSO configuration

Alicia Liu
Aug 13 '19 ยท 3 min read ยท 972 views
Notion provides Single Sign-On (SSO) functionality for enterprise customers to access it through a single authentication source, like Okta. This allows IT administrators to better manage team access and keeps information more secure.
We use SAML (Security Assertion Markup Language), a standard that permits identity managers like Okta to safely pass authorization credentials to service providers like Notion.
๐Ÿ‘‰
Note: SAML SSO is only available for workspaces on Notion's Enterprise Plan.

Okta setup

These are instructions for setting up Notion SAML SSO with Okta. If you use a different identity provider and need assistance with configuration, please contact our support team.
You can always follow steps on Okta's website here:

Create a new application integration

  • Platform: select Web from the dropdown.
  • Sign on method: select SAML 2.0.

Create SAML integration

SAML settings

  • Single sign on URL: found on the Security & SAML tab of Settings & Members in your left-hand sidebar.
  • Audience URI: https://www.notion.so/sso/saml
  • Name ID format: select EmailAddress from the dropdown.
  • Application username: select Email from the dropdown.
  • Update application username on: select Create and Update from the dropdown.
  • Attribute statements (our recommended mapping):
    • firstName โ†’ user.firstName
    • lastName โ†’ user.lastName
    • profilePhoto โ†’ user.profilePhoto profilePhoto
๐Ÿ‘‰
Note: profilePhoto is an optional custom field. Don't assign the attribute if you don't have a profile photo or user avatar field in Okta. Blank profile photo fields in Okta will not override a set avatar in Notion.

Assign users to Notion

In Okta's Assignments tab, you can now assign users to Notion. This is not necessary if you use Notion's Just-in-Time (JIT) provisioning by enabling Automatically Create Accounts on Sign-in.

Notion setup

Email domains & metadata URL

  • Navigate to Settings & Members in your sidebar, and select the Security & SAML tab. You should see this:
  • Email Domains: please use the Contact support link in the Security & SAML tab to configure the email domains you want to enable for SAML SSO.
  • IDP Metadata URL: enter the URL provided by Okta here:

Other settings

  • Automatically create accounts on sign in: Enable if you want to allow all users who can sign in to automatically be added as paid members to your Notion workspace.
  • Enable SAML: If you turn off this setting, team members will not be able to log in with SAML.
  • Enforce SAML: Switching this on means users with email addresses on the configured domain can only sign in using SAML SSO. Notion administrators may still log in with email.
๐Ÿ‘‰
Note: Before enforcing SAML, we recommend notifying your organization that this will be the only way to sign in going forward, and that they should change their email address on any Notion workspaces not affiliated with your organization to a personal email. If they lose access to Notion through SAML, they will also lose access to all workspaces that use their organization email.

FAQs

  • My organization uses an identity service provider (IDP) that's not Okta. Will it be supported?
    If your IDP provides a SAML metadata URL for dynamic configuration, you can follow the same setup steps as above. Please contact our support team for SAML configuration assistance for other IDPs.
  • How does Notion SAML SSO handle user provisioning?
    Notion offers Just-in-Time (JIT) provisioning if you enable Automatically create accounts on sign in in your SAML SSO settings.
    Notion does not provide automatic deprovisioning at this time. This means that if you remove a member via your IDP, that user will also need to be removed in Notion via the Members tab of Settings & Members in the left-hand sidebar.
  • Does enforcing SAML SSO log out users?
    No, active user sessions stay logged in until they expire. The next time a user needs to log in, they will need to log in with SAML SSO.
  • Does Notion SAML SSO support Single Logout?
    Not at this time. If Single Logout is important to you, please contact our support team to let us know.
  • Can I still log in to Notion if my identity provider is out of service?
    Yes, even with SAML enforced, Notion administrators have the option to log in with email. Thereafter, an administrator can change the SAML configuration to disable Enforce SAML so users may log in with email again.
  • What version of SAML does Notion support?
    We currently support SAML v2.0.

Related guides

Something we didn't cover? Message us in the app by clicking ? at the bottom right on desktop (or in your sidebar on mobile). Or email us at team@makenotion.com โœŒ๏ธ
Updating...

Share on