SAML SSO configuration

Notion provides Single Sign-On (SSO) functionality for enterprise customers to access it through a single authentication source, like Okta. This allows IT administrators to better manage team access and keeps information more secure.

We use SAML (Security Assertion Markup Language), a standard that permits identity managers like Okta to safely pass authorization credentials to service providers like Notion.

👉

Note: SAML SSO is only available for workspaces on Notion's Enterprise Plan. Contact sales to learn more →

Okta setup Create a new application integration Create SAML integration SAML settings Assign users to Notion Notion setup Email domains & metadata URL Other settings Troubleshooting FAQs Related guides

Okta setup

These are instructions for setting up Notion SAML SSO with Okta. If you use a different identity provider and need assistance with configuration, please contact our support team.

You can always follow steps on Okta's website here:

Overview | Okta Developer

The first step in configuring an application to support SAML based Single Sign-On from Okta is to set up an application in Okta. In SAML terminology, what you will be doing here is configuring Okta (your SAML Identity Provider or "SAML IdP"), with the details of your application (the new SAML Service Provider or "SAML SP").

https://developer.okta.com/docs/guides/saml-application-setup/overview/

Create a new application integration

Platform: select Web from the dropdown.

Sign on method: select SAML 2.0.

Create SAML integration

App name: Notion

You can upload the logo in this zip file 👇

notion-logo-okta.png

1.3KB

SAML settings

Single sign on URL: found on the Security & SAML tab of Settings & Members in your left-hand sidebar.

Audience URI: https://www.notion.so/sso/saml

Name ID format: select EmailAddress from the dropdown.

Application username: select Email from the dropdown.

Update application username on: select Create and Update from the dropdown.

Attribute statements (our recommended mapping):

firstName → user.firstName
lastName → user.lastName
profilePhoto → user.profilePhoto profilePhoto

👉

Note: profilePhoto is an optional custom field. Don't assign the attribute if you don't have a profile photo or user avatar field in Okta. Blank profile photo fields in Okta will not override a set avatar in Notion.

Assign users to Notion

In Okta's Assignments tab, you can now assign users to Notion. This is not necessary if you use Notion's Just-in-Time (JIT) provisioning by enabling Automatically Create Accounts on Sign-in.

Notion setup

Email domains & metadata URL

Navigate to Settings & Members in your sidebar, and select the Security & SAML tab. You should see this:

Email Domains: please use the Contact support link in the Security & SAML tab to configure the email domains you want to enable for SAML SSO.

IDP Metadata URL: enter the URL provided by Okta here:

Other settings

Automatically create accounts on sign in: Enable if you want to allow all users who can sign in to automatically be added as paid members to your Notion workspace.

Enable SAML: If you turn off this setting, team members will not be able to log in with SAML.

Enforce SAML: Switching this on means users with email addresses on the configured domain can only sign in using SAML SSO. Notion administrators may still log in with email.

👉

Note: Before enforcing SAML, we recommend notifying your organization that this will be the only way to sign in going forward, and that they should change their email address on any Notion workspaces not affiliated with your organization to a personal email. If they lose access to Notion through SAML, they will also lose access to all workspaces that use their organization email.

Troubleshooting

If you encounter errors when setting up SAML SSO, check to make sure your IDP's metadata, SAML requests and responses are valid XML against the SAML XSD schemas. You can do so using this online tool: https://www.samltool.com/validate_xml.php

Note that we do not support the EntitiesDescriptor element. If your IDP's metadata contains this element, extract the contained EntityDescriptor element and try again.

FAQs

My organization uses an identity service provider (IDP) that's not Okta. Will it be supported?

If your IDP provides a SAML metadata URL for dynamic configuration, you can follow the same setup steps as above. Please contact our support team for SAML configuration assistance for other IDPs.

How does Notion SAML SSO handle user provisioning?

Notion offers Just-in-Time (JIT) provisioning if you enable Automatically create accounts on sign in in your SAML SSO settings.

Notion does not provide automatic deprovisioning at this time. This means that if you remove a member via your IDP, that user will also need to be removed in Notion via the Members tab of Settings & Members in the left-hand sidebar.

Does enforcing SAML SSO log out users?

No, active user sessions stay logged in until they expire. The next time a user needs to log in, they will need to log in with SAML SSO.

Does Notion SAML SSO support Single Logout?

Not at this time. If Single Logout is important to you, please contact our support team to let us know.

Can I still log in to Notion if my identity provider is out of service?

Yes, even with SAML enforced, Notion administrators have the option to log in with email. Thereafter, an administrator can change the SAML configuration to disable Enforce SAML so users may log in with email again.

What version of SAML does Notion support?

We currently support SAML v2.0.

Related guides

Security

Privacy

Plans & pricing

Add members to your workspace

Notion for teams

Something we didn't cover? Message us in the app by clicking ? at the bottom right on desktop (or in your sidebar on mobile). Or email us at team@makenotion.com ✌️