SAML SSO configuration

SAML SSO configuration - hero
In this Article

Notion provides Single Sign-On (SSO) functionality for enterprise customers to access the app through a single authentication source. This allows IT administrators to better manage team access and keeps information more secure 🔐

Jump to FAQs

We use SAML (Security Assertion Markup Language), a standard that permits identity managers to safely pass authorization credentials to service providers like Notion.

Note: SAML SSO is only available for workspaces on Notion's Enterprise Plan. Contact sales to learn more →

  • Navigate to Settings & Members in your sidebar, and select the Security & identity tab. Scroll down to the SAML single sign-on section.

  • Email domains: Configure the email domains you want to enable for SAML SSO. Detailed instructions below.

  • Single sign-on URL: Copy this to use when setting up your Identity Provider (IDP).

  • IDP metadata URL/XML: enter the URL or XML provided by your Identity Provider (IDP) here.

You can configure your email domains for SAML SSO by first verifying that you own the domains. You must have at least one verified domain in order to enable SAML SSO with Notion.

You must verify a domain within 1 week of adding the domain. After a week, the verification code expires and the domain needs to be re-added in the UI.

Step 1: Add a new domain

  • Within the SAML single sign-on section, click the Add domain button.

  • Type in the domain that you wish to verify and click the Next button.

Note: We don’t support verifying subdomains for SAML SSO.

Step 2: Verify your domain

  • Follow the instructions for how to verify your domain with Notion:

    1. Navigate to the DNS record section of your domain host.

    2. Create a new TXT record and paste in the code above as the value.

    3. Typically, this change takes only minutes to occur. However, there are cases where it may take up to 72 hours for the DNS record to propagate.

    4. Click Verify to notify Notion to check your DNS record.

    5. After successfully verifying your domain, you can remove the TXT record from your domain.

  • Once you’ve successfully verified the domain, you’ll receive a message telling you that it was verified.

  • Once you enable SAML, anyone using an email address with the email domain you’ve verified will be able to log in using SAML SSO.

These are instructions for setting up Notion SAML SSO with Azure, Google, and Okta. If you use a different Identity Provider and need assistance with configuration, please contact our support team.

Azure

For additional documentation, you can also reference steps on Azure's website here:

Step 1: Create a new application integration

  • Sign in to the Azure portal. On the left navigation pane, select the Azure Active Directory service.

  • Navigate to Enterprise Applications and then select All Applications.

  • To add new application, select New application.

  • In the Add from the gallery section, type Notion in the search box. Select Notion from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Step 2: Create SAML Integration

  • In the Azure portal, on the Notion application integration page, find the Manage section and select single sign-on.

  • On the Select a single sign-on method page, select SAML.

Step 3: SAML Settings

  • On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

  • On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, enter the values for the following fields:

    • In the Reply URL text box, use the SSO URL from Notion, found on the Security & identity tab of Settings & members in your left-hand sidebar

  • Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated mode:

    • In the Sign-on URL text box, enter the following URL: https://www.notion.so/login

  • In the User Attributes & Claims section, set the following User Attributes to their corresponding source attribute:

    • Name: Source Attribute

    • email: user.mail

    • firstName: user.givenname

    • lastName: user.surname

  • On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy button to copy App Federation Metadata Url.

  • Go to your Notion workspace Settings & Members > Security & identity, and paste the value you copied into the IDP metadata URL field.

Step 4: Assign users to Notion

  • In the Azure portal, select Enterprise Applications, and then select All applications. In the applications list, select Notion.

  • In the app's overview page, find the Manage section and select Users and groups.

  • Select Add user, then select Users and groups in the Add Assignment dialog.

  • In the Users and groups dialog, select from the Users list, then click the Select button at the bottom of the screen.

  • If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.

  • In the Add Assignment dialog, click the Assign button.


Google

For additional documentation, you can also reference steps on Google's website here:

Step 1: Create a new application integration

  • Sign in to your Admin counsel at  https://admin.google.com/. Make sure you're using an account with super administrative privileges!

  • From the Admin console Home page, go to 

    Apps > Web and mobile apps.

  • Click Add App > Add private SAML app.

  • On the App Details page, enter the name of the custom app.

  • Click Continue.

Step 2: Create SAML Integration

  • On the Google Identity Provider details page, copy the link to IDP metadata and enter it in Notion in the field IDP metadata URL.

    • Alternatively, download the IDP metadata and copy the contents of this file to Notion in the field IDP metadata XML.

  • Click Continue.

Step 3: SAML Settings

  • In the Service Provider Details window, enter the ACS URL and Entity ID for your Notion app.

    • For the ACS URL, use the Single Sign-On URL found on the Security & identity tab of Settings & members in your left hand sidebar.

    • For the Entity ID, use https://www.notion.so/sso/saml

  • The default Name ID is the primary email.

  • Click Continue to add App Attributes.

    • On the Attribute mapping page, click 

      Add another mapping to map additional attributes.


Okta

For additional documentation, you can also reference steps on Okta's website here:

Step 1: Add the Notion app from Okta's application directory

  • Log in to Okta as an administrator, and go to the Okta Admin console, select Classic UI from the dropdown in the top menu bar.

  • Go to Application > Add Application and search for "Notion" in the Okta app directory.

  • Select the Notion app and click Add.

Step 2: Configure the Notion Application

  • Review general settings (it's unlikely you'll need to change these) and click Next.

  • Select SAML 2.0

  • Optional: Click View Setup Instructions for Okta's version of this documentation.

  • Fill in the Organization ID.

    • Go to the Security & identity tab of Settings & members in your left-hand sidebar.

    • Copy the last part of the Single Sign-On URL, it's a set of alphanumeric characters with dashes xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and enter that as the Organization ID. Do not copy the entire URL.

    • Paste the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ID you copied into the Organization ID field in Okta.

    • Click Done.

Step 3: Assign users and groups to Notion

  • In Okta's Assignments tab, you can now assign users and groups to Notion.


Once you've configured SAML SSO for Notion and your IDP, you can further customize the following settings:

  • Automatically create accounts on sign in: Enable if you want to allow all users who can sign in to automatically be added as paid members to your Notion workspace.

    • Make sure your SAML email domains are also listed in Allowed email domains under Settings.

  • Enable SAML: Turning on this setting will allow users with configured domains to log in with SAML SSO. They will still be able to log in with other methods as well.

  • Enforce SAML: Switching this on means users with email addresses on the configured domain can only sign in using SAML SSO. Notion administrators may still log in with email.

If you encounter errors when setting up SAML SSO, check to make sure your IDP's metadata, SAML requests and responses are valid XML against the SAML XSD schemas. You can do so using this online tool: https://www.samltool.com/validate_xml.php

Note that we do not support the EntitiesDescriptor element. If your IDP's metadata contains this element, extract the contained EntityDescriptor element and try again.


FAQs

Why is the current Enable SAML SSO greyed out?

The most common reason is that you have not yet verified ownership of a domain. If this is the case, you will notice that you either don’t have any domains listed in the verify email domain section or the domain is pending verification.

For next steps, refer to our instructions on how to complete domain verification here →

Why can’t I edit the SAML SSO settings?

The most common reason is that you are trying to modify the verified domains or SSO configuration from a linked workspace which is a workspace that is already associated with another SSO configuration.

In linked workspaces, all domain management and SSO configuration settings are read-only. To modify the SSO configuration or remove this workspace from the SSO configuration, you must have access to the primary workspace. The name of the primary workspace can be found at the top of the Identity & Provisioning settings tab.

Does enforcing SAML SSO log out users?

No, active user sessions stay logged in until they expire. The next time a user needs to log in, they will need to log in with SAML SSO.

Does Notion SAML SSO support Single Logout?

Not at this time. If Single Logout is important to you, please contact our support team to let us know.

Can I still log in to Notion if my identity provider is out of service?

Yes, even with SAML enforced, Notion administrators have the option to log in with email. Thereafter, an administrator can change the SAML configuration to disable Enforce SAML so users may log in with email again.

Are profile photos transmitted to Notion from the IDP?

Yes, profilePhoto is an optional custom attribute. You may assign this attribute to a corresponding attribute in your IDP, provided the attribute contains the URL to an image. If the profilePhoto field is set, this image will replace the avatar in Notion when the user signs in using SAML SSO.

Still have more questions? Send us a message

Give Feedback

Was this resource helpful?


Up Next

Provision users & groups with SCIM

You can provision and manage users and groups in your Notion workspace with the System for Cross-domain Identity Management (SCIM) API standard 🔑

Powered by Fruition