SAML SSO

SAML SSO configuration - hero
In this Article

Notion provides Single Sign-On (SSO) functionality for Business and Enterprise customers to access the app through a single authentication source. This allows IT administrators to better manage team access and keeps information more secure 🔐

Jump to FAQs

Notion’s single sign-on (SSO) services are built upon the SAML (Security Assertion Markup Language) 2.0 standard that permits identity managers to safely pass authorization credentials to service providers like Notion and connect your Identity Provider (IdP) and workspace(s) for an easier, more secure login experience.

SSO services permit a user to use one set of credentials (for example, a name or email address and password) to access multiple applications. The service authenticates the end user only once for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session.

Benefits of SSO

  • Streamlines user management across systems for workspace owners.

  • Removes the need for end-users to remember and manage multiple passwords. Simplifies end-users experience by allowing them to sign in at one single access point and enjoy a seamless experience across multiple applications.

Prerequisites for SSO with Notion

  • Your workspace must be on a Business Plan or Enterprise Plan.

  • Your Identity Provider (IdP) must support the SAML 2.0 standard.

  • Only a workspace owner can configure SAML SSO for a Notion workspace.

  • At least one domain has been verified by a workspace owner.

Enable SAML SSO for a single workspace

  1. Go to Settings & members, then select the Settings tab.

  2. In the Allow email domains section, remove all email domains.

  3. Then select the Identity & provisioning tab.

  4. Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

  5. The SAML SSO Configuration modal is divided into two parts:

    • The Assertion Consumer Service (ACS) URL is to be entered in your Identity Provider (IdP) portal

    • The Identity Provider Details is a field in which either an IdP URL or IdP metadata XML must be provided to Notion.

For more information on where to enter and obtain this information, please refer to our IdP-specific guides below.

Note: Guests are not supported with SAML SSO on Notion.

Note: Linking additional workspaces to a SAML SSO configuration is only possible for customers on the Enterprise Plan. For more information, contact sales →

From the workspace where you have verified your domain and enabled SAML SSO, there is a Linked workspaces section listing all of the workspaces associated with your SAML SSO configuration.

Users with a verified email address who have access to the primary workspace or one of the linked workspaces will be able to log in via SAML SSO.

Sales-assisted Enterprise customers can add Enterprise workspaces to their SAML SSO configuration or remove them by reaching out to team@makenotion.com.

Enforce SAML SSO

Once you have completed your configuration of SAML SSO for a single workspace, users will be able to log in via SAML SSO in addition to other log-in methods such as username/password and Google Authentication.

  • To ensure users can only log in using SAML SSO and no other method, update the Login method to Only SAML SSO. Once this happens, workspace users will be logged out and required to log back in using SAML SSO.

  • SAML SSO will only be enforced for users who use your verified domain and have access to the primary workspace or a linked workspace.

  • Guests invited to pages in a Notion workspace can’t use SAML SSO to login. Instead, they’ll always use their e-mail and password or log in with Google or Apple.

  • Workspace owners will always have the option to bypass SAML SSO by using their email and password credentials. This is to allow them to access Notion in the event of IdP/SAML failure. They will be able to log in and disable or update their configuration.

Notion supports Just-in-Time provisioning when using SAML SSO. This allows someone signing in via SAML SSO to join the workspace automatically as a member.

To enable Just-in-Time provisioning:

  • In Settings & members Identity & provisioning, make sure that Automatic account creation is enabled.

Note: We don’t recommend enabling Just-in Time provisioning if you are using SCIM. Having an “allowed email domain” in place allows users on that domain to join the workspace so there could be a mismatch between membership in their Identity Providers and Notion.

These are instructions for setting up Notion SAML SSO with Entra ID (formerly Azure), Google, Okta, and OneLogin. If you use a different Identity Provider and need assistance with configuration, please contact our support team.

Entra ID

For additional documentation, you can also reference steps on Entra ID's website here:

Step 1: Create a new application integration

  1. Sign in to the Entra ID portal. On the left navigation pane, select the Azure Active Directory service.

  2. Navigate to Enterprise Applications and then select All Applications.

  3. To add a new application, select New application.

  4. In the Add from the gallery section, type Notion in the search box. Select Notion from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Step 2: Create SAML Integration

  1. In the Azure portal, on the Notion application integration page, find the Manage section and select single sign-on.

  2. On the Select a single sign-on method page, select SAML.

Step 3: SAML Settings

  1. In Notion, go to the Settings & members tab, then select the Settings tab.

  2. In the Allow email domains section, remove all email domains.

  3. Then select the Identity & provisioning tab.

  4. Verify one or more domains. See instructions for domain verification here →

  5. Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

  6. The SAML SSO Configuration modal is divided into two parts — one section is the Assertion Consumer Service (ACS) URL to be entered in your Identity Provider (IdP) portal and the second section is Identity Provider Details in which either IdP url or IdP metadata XML that must be provided to Notion.

Step 4: Configure Notion app in Entra ID

  1. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

  2. On the Basic SAML Configuration section, if you wish to configure the application in IdP initiated mode, enter the values for the following fields:

    • In the Identifier (Entity ID) text box, enter the following URL: https://www.notion.so/sso/saml.

    • In the Reply URL (Assertion Consumer Service URL) text box, use the ACS URL from Notion, found on the Identity & provisioning tab of Settings & members in your left-hand sidebar.

    • In the Sign on URL text box, enter the following URL: https://www.notion.so/login.

  3. In the User attributes & claims section, ensure the required claim are set to:

    • Unique User Identifier (Name ID): user.userprincipalname [nameid-format:emailAddress]

    • firstName: user.givenname

    • lastName: user.surname

    • email: user.mail

  4. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, click the copy button next to the App Federation Metadata URL.

  5. Go to your Notion workspace Settings & members → Identity & provisioning, and paste the App Federation Metadata URL value you copied into the IdP metadata URL field text box. Make sure the radio button Identity Provider URL is selected.

Step 5: Assign users to Notion

  1. In the Azure portal, select Enterprise Applications, and then select All applications. In the applications list, select Notion.

  2. In the app's overview page, find the Manage section and select Users and groups.

  3. Select Add user, then select Users and groups in the Add Assignment dialog.

  4. In the Users and groups dialog, select from the Users list, then click the Select button at the bottom of the screen.

  5. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see Default Access role selected.

  6. In the Add Assignment dialog, click the Assign button.

Google

For additional instructions, you can also reference the documentation in the Google Workspace Admin Help Center:

Step 1: Get Google identity provider (IdP) information

  1. Make sure you're signed into an administrator account to ensure your user account has the appropriate permissions.

  2. In the Admin console, go to Menu -> Apps -> Web and mobile apps.

  3. Enter Notion in the search field and select the Notion SAML app.

  4. On the Google Identity Provider details page, download the IdP metadata file.

  5. Open the file, GoogleIDPMetadata.xml in a compatible editor, then select and copy the contents of the file.

  6. Leave the Admin console open, you'll continue with the configuration wizard after performing the next step in the Notion application.

Step 2: Set up Notion as SAML 2.0 service provider

  1. In Notion, go to the Settings and members tab, then select the Settings tab.

  2. In the Allowed email domains section, remove all email domains.

  3. Select the Identity & provisioning tab.

  4. Add a new domain and verify it. This should be the same as your Google Workspace domain.

  5. In SAML Single sign-on (SSO) settings, toggle the Enable SAML SSO on. This opens the SAML SSO Configuration dialog.

  6. In the dialog, do the following:

    • Under Identity Provider Details, select IDP metadata XML.

    • Paste the contents of the GoogleIDPMetadata.xml file, (copied in step 1 above) into the IdP metadata XML text box.

    • Copy and save the Assertion Consumer Service (ACS) URL. You'll need this when you complete the Google-side configuration in Admin console in step 3 below.

    • Click Save Changes.

  7. Ensure that the remaining options Login method, Automatic account creation and Linked workspaces contain the desired values for your configuration.

Step 3: Finish SSO configuration in Admin Console

  1. Return to the Admin console browser tab.

  2. On the Google Identity Provider details page, click Continue.

  3. On the Service provider details page, replace the ACS URL with the ACS URL you copied from Notion in Step 2 above.

  4. Click Continue.

  5. On the Attribute Mapping page, click the Select field menu and map the following Google directory attributes to their corresponding Notion attributes. Note that firstName, lastName, and email are required attributes.

    Note: The profilePhoto attribute can be used to add a user photo in Notion. To use it, create a custom attribute and populate it in the user profile with the URL path to the photo, then map the custom attribute to profilePhoto.

  6. Optional: Click Add Mapping to add any additional mappings you need.

  7. Click Finish.

Note: Regardless of how many group names you enter, the SAML response will only include groups that a user is a member of (directly or indirectly). For more information, see About group membership mapping.

Step 4: Enable the Notion app

  1. In the Admin console, go to Menu → AppsWeb and mobile apps.

  2. Select Notion.

  3. Click User access.

  4. To turn a service on or off for everyone in your organization, click On for everyone or Off for everyone, and then click Save.

  5. (Optional) To turn a service on or off for an organizational unit:

    • At the left, select the organizational unit.

    • To change the Service status, select On or Off.

    • Choose one: If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override. If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes. Note: Learn more about organizational structure.

  6. Optional: Turn on the service for a group of users. Use access groups to turn on a service for specific users within or across your organizational units. Learn more.

  7. Ensure that your Notion user account email IDs match those in your Google domain.

Okta

For additional documentation, you can also reference steps on Okta's website here:

Step 1: Add the Notion app from Okta's application directory

  • Log in to Okta as an administrator, and go to the Okta Admin console.

  • Go to the Application tab, select Browse App Catalog and search for "Notion" in the Okta app catalog.

  • Select the Notion app and click Add integration.

  • In the General Settings view, review the settings and click Next.

  • In the Sign-on Options view, select the SAML 2.0 option.

  • Above the Advanced Sign-on Settings section, click on the Identity Provider metadata. This will open a new browser tab. Copy the link of the URL.

Step 2: Configure SAML settings in Notion

  1. In Notion, go to the Settings & members tab, then select the Settings tab.

  2. In the Allow email domains section, remove all email domains.

  3. Then select the Identity & provisioning tab.

  4. Verify one or more domains. See instructions for domain verification here

  5. Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

  6. The SAML SSO Configuration modal is divided into two parts — one section is the Assertion Consumer Service (ACS) URL to be entered in your Identity Provider (IdP) portal and the second section is Identity Provider Details in which either IdP url or IdP metadata XML that must be provided to Notion.

    • Choose the Identity Provider URL, and paste the Identity Provider metadata URL you copied in Step 1. Click Save changes.

  7. In the Identity & provisioning tab, scroll down and copy the Workspace ID identifier.

  8. In Okta Admin consoleAdvanced Sign-on Settings section, paste the workspace ID in the Organization ID text box.

  9. In Credentials details, select Email from Application username format dropdown, and click Done.

  10. In Okta - Assignments tab, you can now assign users and groups to Notion.

OneLogin

For additional documentation, you can also reference steps on OneLogin’s website here:

Step 1: Create new application integration

  1. If you have not already configured provisioning, go to AdministrationApplicationsApplications, then click the Add App button, search for Notion in the search box, and select the SAML 2.0 version of Notion.

  2. Click Save.

Step 2: Create SAML integration

  1. Otherwise, navigate to ApplicationsApplications and select the Notion app connector you already added.

  2. Navigate to the SSO tab and copy the Issuer URL value. Paste it somewhere to be retrieved later.

Step 3: SAML settings

  1. In Notion, go to the Settings & members tab, then select the Settings tab.

  2. In the Allow email Domains section, remove all email domains.

  3. Then select the Identity & provisioning tab.

  4. Verify one or more domains. See instructions for domain verification here → Verify a domain for your workspace.

  5. Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

  6. The SAML SSO Configuration modal is divided into two parts — one section is the Assertion Consumer Service (ACS) URL to be entered in your Identity Provider (IdP) portal and the second section is Identity Provider Details in which either IdP url or IdP metadata XML that must be provided to Notion.

Step 4: Configure Notion app in OneLogin

  1. Copy Assertion Consumer Service (ACS) URL from Notion.

  2. Go back to the OneLogin Administration UI.

  3. Navigate to the Configuration tab of the Notion app connector your just added to your OneLogin account.

  4. Paste the Assertion Consumer Service (ACS) URL from Notion into the Consumer URL textbox.

  5. Click Save.

  6. Go back to the Notion Edit SAML SSO configuration settings.

  7. Paste the Issuer URL you copied from the SSO tab in OneLogin URL into the Identity Provider URL textbox. Make sure the radio button Identity Provider URL is selected.

Rippling

For detailed documentation, you can reference Rippling's website here

Custom SAML SSO configuration

If you don't use one of Notion’s supported SAML providers, you can also configure your IdP to use SAML with Notion.

Step 1: Set up your IdP

Your IdP must support the SAML 2.0 spec to be used with Notion.

  1. Configure the ACS URL to the value Assertion Consumer Service (ACS) URL from Notion. You can find this in SettingsIdentity & ProvisioningEdit SAML SSO Configuration.

  2. Configure NameID to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

    1. Similarly, configure username to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

  3. Configure EntityID to https://notion.so/sso/saml. You can find this in Settings → the bottom of Identity & Provisioning.

  4. Configure the following attributes:

    • emailAddress: This is a user's email address. Most IdPs set this by default.

    • (Optional) firstName

    • (Optional) lastName

    • (Optional) profilePicture

  5. Copy the IdP metadata URL or IdP metadata XML for next steps.

Step 2: Set up SAML in Notion

  1. In Notion, click Settings & membersSettingsIdentity & provisioning.

  2. Add new email domains and follow the prompts to verify them. These must be email domains of your users logging into Notion.

  3. In SAML Single sign-on (SSO) settings, toggle Enable SAML SSO on. This will open the SAML SSO Configuration dialog.

  4. Under Identity Provider Details, input the IdP metadata URL or IdP metadata XML from your IdP.

  5. Make sure you provide your desired inputs for Login methodAutomatic account creation, and Linked workspaces.

Switching identity providers

To switch identity providers, go to Settings & members in your left sidebar → Identity & provisioningEdit SAML SSO configuration. Enter your new information, then select Save changes.

When switching to a new IdP, we recommend that:

  • SSO not be enforced during the transition, so you can minimize the risk of locking users out.

  • Email addresses for the users under your new IdP match the user’s email in Notion.

Note: Changing identity providers does not end user sessions or deactivate users.

If you encounter errors when setting up SAML SSO, check to make sure your IdP's metadata, SAML requests and responses are valid XML against the SAML XSD schemas. You can do so using this online tool: https://www.samltool.com/validate_xml.php

Note that we do not support the EntitiesDescriptor element. If your IdP's metadata contains this element, extract the contained EntityDescriptor element and try again.


FAQs

Why is the current Enable SAML SSO greyed out?

Why can’t I edit the SAML SSO settings?

The most common reason is that you are trying to modify the verified domains or SSO configuration from a linked workspace which is a workspace that is already associated with another SSO configuration.

In linked workspaces, all domain management and SSO configuration settings are read-only. To modify the SSO configuration or remove this workspace from the SSO configuration, you must have access to the primary workspace. The name of the primary workspace can be found at the top of the Identity & Provisioning settings tab.

Why do I need to verify a domain to enable SSO?

We ask that the email domain ownership is validated to ensure that only the owner of the domain can customize how their users log into Notion.

Having trouble setting up SSO? Here are some common issues:

  • Try using a URL instead of an XML.

  • We recommend testing the setup process with a test account before enforcing it for users.

  • If neither of these options help, reach out to support at

Why should I remove email domains from the “Allowed Email Domains” setting before configuring SAML SSO for my workspace?

The “Allowed Email Domain” setting allows users with the selected domains to access your workspace without being provisioned via your IdP. To ensure that only users provisioned via your IdP can access your SAML-enabled workspace, disable this feature by removing all email addresses from the “Allowed Email Domain” list.

Can I still log in to Notion if my identity provider is out of service?

Yes, even with SAML enforced, Workspace owners have the option to log in with email. Thereafter, a Workspace owner can change the SAML configuration to disable Enforce SAML so users may log in with email again.

Are profile photos transmitted to Notion from the IdP?

Yes, profilePhoto is an optional custom attribute. You may assign this attribute to a corresponding attribute in your IdP, provided the attribute contains the URL to an image. If the profilePhoto field is set, this image will replace the avatar in Notion when the user signs in using SAML SSO.

How do I allow admins of other workspaces in my SAML configuration create new workspaces?

Only the admins of your primary workspace will be able to create new workspaces using your verified domain(s). Please reach out to our support team (team@makenotion.com) to switch your primary SAML workspace to another linked workspace in your SAML configuration.

Still have more questions? Message support

Give Feedback

Was this resource helpful?


Powered by Fruition