Setting up SAML SSO
Who can use this feature
- Supported on Team and Enterprise plans
- Note: Team plans are limited to Okta and Google SAML only
- Anyone with an org admin role can access and edit Single sign-on
What's in this article:
Configuring single sign-on
Select your IdP (Identity Provider)
Writer actively supports single sign-on with Okta, Google, and PingIdentity. However, you can also set up single sign-on with other identity providers as well. If you’re using another identity provider, select Other IdPs.
Add your email domains
Enable SAML domain management
Under SAML domain management, select Enable domain.
Head to your identity provider (e.g., Okta) to complete configuration.
Section A: From Writer to your IdP
If you look at Box A, you’ll see 2 fields that you’ll need to paste into your IdP (SP SSO URL and SP Entity ID).
Note that these fields are sometimes called other names, depending on the IdP.
- SP SSO URL is sometimes known as ACS (Assertion Consumer Service) URL or Recipient
- SP Entity ID is sometimes known as an Audience URL.
Some IdPs may ask you to upload a metadata XML file from Writer. This is rare, but if you need this, select Advanced configuration, then select the download icon to download this XML. You can then upload this into your IdP.
Section B: From your IdP into your Writer
Almost all IdPS will provide a SAML metadata XML. This is required from Writer to complete configuration. Once you have the XML from your IdP, upload it in Section B. We’ll analyze this XML and auto-populate the IdP Issuer and IdP SSO URL fields.
Once we have your IdP’s XML uploaded, you can select Done to finish setup.
Single sign-on settings
After setup, you can still edit your configuration (e.g., to add another email domain). If you’re switching IdPs, you can remove your configuration and create a new one.
Allow uninvited users to create an account via SAML SSO
Allow team members to create passwords and sign in without SSO
If enabled, users from your organization can create their own password and sign in without SAML SSO.
Q: Does your application support SAML 2.0 authentication?
Q: Does your application support OIDC authentication?
Q: Does your application provide SAML SP metadata?
Yes, it can be found under advanced configuration on the single sign-on settings page. (Here's a link for admins.) Once you've selected an identity provider, this metadata will be displayed:
Q: What is the SAML Single Sign On URL (ACS URL, Recipient)?
Q: What is the SAML SP Entity ID (Audience)?
Q: What SAML binding do you support?
Q: What is the default SAML relay state?
We don't enforce a default value. This can be empty.
Q: What SAML NameID formats do you support?
emailAddress or any other format if the email profile attribute is defined.
Q: What Identity Providers have you previously integrated with successfully?
GSuite, PingIdentity, Okta, OneLogin.
Q: Can user permissions or roles be assigned based on SAML assertion?
Yes, roles can be modified in the single sign-on settings page.
Q: What additional profile attributes, if any, are you expecting in the assertion/claim from SAML IdP?
first_name, family_name, picture_url
Q: Do you require encrypted assertions?
Q: Do you require encrypted name identifiers?
Q: Do you support Service Provider Initiated SSO, Identity Provider Initiated SSO, or both?
Q: Do you support "deep linking" and if yes, how do you offer this?
Q: Do you support JIT or OOB user provisioning?
Q: If OOB user provisioning is required, what methods do you support?
Q: Do you have a non-prod environment we could connect to?
Q: Can the application be configured to remove users who have not logged in for a specific period of time?
Q: When I add my email domain and select Next, I’m getting an error that says “One or more of the domains you added are already registered by another organization.”
Q: When I add my IdP metadata XML and select done, I’m getting an error that says “Your IdP configuration failed: Identity provider with same entity id is already registered!”