Setting up SAML SSO

Who can use this feature

  • Supported on Team and Enterprise plans
  • Note: Team plans are limited to Okta and Google SAML only
  • Anyone with an org admin role can access and edit Single sign-on

What's in this article


Configuring single sign-on

You can configure SAML single sign-on in the Admin Panel> Single sign-on.

1. Select your IdP (Identity Provider)

Writer actively supports single sign-on with Okta, Google, and PingIdentity. However, you can also set up single sign-on with other identity providers as well. If you’re using another identity provider, select Other IdPs

2. Add your email domains

Confirm the email domain that you have set up with your IdP (e.g., “acme.com”. Only users with this domain will be able to log in via SAML SSO. You can add more than one email domain.

3. For the final step, head to your identity provider (e.g., Okta) to complete configuration.

Section A: From Writer to your IdP

If you look at Box A, you’ll see 2 fields that you’ll need to paste into your IdP (SP SSO URL and SP Entity ID). Note that these fields are sometimes called other names, depending on the IdP. 
Identity providers sometimes use different terminology for these fields
  • SP SSO URL is sometimes known as ACS (Assertion Consumer Service) URL
  • SP Entity ID is sometimes known as an Audience URL.

Some IdPs may ask you to upload Writer’s metadata XML file. This is rare, but if you need this, select Advanced configuration, then select the download icon to download this XML. You can then upload this into your IdP.

Section B: From your IdP into your Writer

Almost all IdPS will provide a SAML metadata XML. This is required from Writer to complete configuration. Once you have the XML from your IdP, upload it in Section B. We’ll analyze this XML and auto-populate the IdP Issuer and IdP SSO URL fields.

Once we have your IdP’s XML uploaded, you can select Done to finish setup. 

Single sign-on settings

After setup, you can still edit your configuration (e.g., to add another email domain). If you’re switching IdPs, you can remove your configuration and create a new one. 

You’ll also have two advanced options.

Allow uninvited users to create an account via SAML SSO

If enabled, any user whose email address matches one of your domains can join your organization by signing in with SAML SSO. If you enable this option, you'll need to select a default team for these users.

Allow team members to create passwords and sign in without SSO

If enabled, users from your organization can create their own password and log in without SAML SSO. 

Tip: If you’d like to disable this setting, we recommend holding off until you’ve fully tested your SSO setup. Otherwise, you might block all users, including admins, if there's an error in your configuration. 

FAQs

Q: When I add my email domain and select Next, I’m getting an error that says “One or more of the domains you added are already registered by another organization.”

Email domains that you add to single sign-on have to be completely unique. It’s possible that someone else from your organization has already set up another Writer account. To resolve this, email support@writer.com and we’ll help you sort it out.

Q: When I add my IdP metadata XML and click done, I’m getting an error that says “Your IdP configuration failed: Identity provider with same entity id is already registered!”

Your IdP metadata has to be completely unique. It’s possible that someone else from your organization has already set up another Writer account. To resolve this, email support@writer.com

Still need help? Contact Us Contact Us