SAML SSO configuration

In this Article

Notion provides Single Sign-On (SSO) functionality for enterprise customers to access the app through a single authentication source. This allows IT administrators to better manage team access and keeps information more secure 🔐


We use SAML (Security Assertion Markup Language), a standard that permits identity managers to safely pass authorization credentials to service providers like Notion.

Note: SAML SSO is only available for workspaces on Notion's Enterprise Plan. Contact sales to learn more →

Notion setup

  • Navigate to Settings & Members in your sidebar, and select the Security & identity tab. Scroll down to the SAML single sign-on section.

  • Email domains: please use the Contact support link in the Security & identity tab to configure the email domains you want to enable for SAML SSO.

  • Single sign-on URL: Copy this to use when setting up your Identity Provider (IDP).

  • IDP metadata URL/XML: enter the URL or XML provided by your Identity Provider (IDP) here.

Identity Provider (IDP) Setup

These are instructions for setting up Notion SAML SSO with Azure, Google, and Okta. If you use a different Identity Provider and need assistance with configuration, please contact our support team.


Azure

For additional documentation, you can also reference steps on Azure's website here:

Step 1: Create a new application integration

  • Sign in to the Azure portal. On the left navigation pane, select the Azure Active Directory service.

  • Navigate to Enterprise Applications and then select All Applications.

  • To add new application, select New application.

  • In the Add from the gallery section, type Notion in the search box. Select Notion from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Step 2: Create SAML Integration

  • In the Azure portal, on the Notion application integration page, find the Manage section and select single sign-on.

  • On the Select a single sign-on method page, select SAML.

Step 3: SAML Settings

  • On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

  • On the Basic SAML Configuration section, if you wish to configure the application in IDP initiated mode, enter the values for the following fields:

    • In the Reply URL text box, use the SSO URL from Notion, found on the Security & identity tab of Settings & members in your left-hand sidebar

  • Click Set additional URLs and perform the following step if you wish to configure the application in SP initiated mode:

    • In the Sign-on URL text box, enter the following URL: https://www.notion.so/login

  • In the User Attributes & Claims section, set the following User Attributes to their corresponding source attribute:

    • Name: Source Attribute

    • email: user.mail

    • firstName: user.givenname

    • lastName: user.surname

  • On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy button to copy App Federation Metadata Url.

  • Go to your Notion workspace Settings & Members > Security & identity, and paste the value you copied into the IDP metadata URL field.

Step 4: Assign users to Notion

  • In the Azure portal, select Enterprise Applications, and then select All applications. In the applications list, select Notion.

  • In the app's overview page, find the Manage section and select Users and groups.

  • Select Add user, then select Users and groups in the Add Assignment dialog.

  • In the Users and groups dialog, select from the Users list, then click the Select button at the bottom of the screen.

  • If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.

  • In the Add Assignment dialog, click the Assign button.


Google

For additional documentation, you can also reference steps on Google's website here:

Step 1: Create a new application integration

  • Sign in to your Admin counsel at  https://admin.google.com/. Make sure you're using an account with super administrative privileges!

  • From the Admin console Home page, go to 

    Apps > Web and mobile apps.

  • Click Add App > Add private SAML app.

  • On the App Details page, enter the name of the custom app.

  • Click Continue.

Step 2: Create SAML Integration

  • On the Google Identity Provider details page, copy the link to IDP metadata and enter it in Notion in the field IDP metadata URL.

    • Alternatively, download the IDP metadata and copy the contents of this file to Notion in the field IDP metadata XML.

  • Click Continue.

Step 3: SAML Settings

  • In the Service Provider Details window, enter the ACS URL and Entity ID for your Notion app.

    • For the ACS URL, use the Single Sign-On URL found on the Security & identity tab of Settings & members in your left hand sidebar.

    • For the Entity ID, use https://www.notion.so/sso/saml/

  • The default Name ID is the primary email.

  • Click Continue to add App Attributes.

    • On the Attribute mapping page, click 

      Add another mapping to map additional attributes.


Okta

For additional documentation, you can also reference steps on Okta's website here:

Step 1: Add the Notion app from Okta's application directory

  • Log in to Okta as an administrator, and go to the Okta Admin console, select Classic UI from the dropdown in the top menu bar.

  • Go to Application > Add Application and search for "Notion" in the Okta app directory.

  • Select the Notion app and click Add.

Step 2: Configure the Notion Application

  • Review general settings (it's unlikely you'll need to change these) and click Next.

  • Select SAML 2.0

  • Optional: Click View Setup Instructions for Okta's version of this documentation.

  • Fill in the Organization ID.

    • Go to the Security & identity tab of Settings & members in your left-hand sidebar.

    • Copy the last part of the Single Sign-On URL, it's a set of alphanumeric characters with dashes xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and enter that as the Organization ID. Do not copy the entire URL.

    • Paste the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ID you copied into the Organization ID field in Okta.

    • Click Done.

Step 3: Assign users and groups to Notion

  • In Okta's Assignments tab, you can now assign users and groups to Notion.


SAML SSO settings

Once you've configured SAML SSO for Notion and your IDP, you can further customize the following settings:

  • Automatically create accounts on sign in: Enable if you want to allow all users who can sign in to automatically be added as paid members to your Notion workspace.

    • Make sure your SAML email domains are also listed in Allowed email domains under Settings.

  • Enable SAML: Turning on this setting will allow users with configured domains to log in with SAML SSO. They will still be able to log in with other methods as well.

  • Enforce SAML: Switching this on means users with email addresses on the configured domain can only sign in using SAML SSO. Notion administrators may still log in with email.

Troubleshooting

If you encounter errors when setting up SAML SSO, check to make sure your IDP's metadata, SAML requests and responses are valid XML against the SAML XSD schemas. You can do so using this online tool: https://www.samltool.com/validate_xml.php

Note that we do not support the EntitiesDescriptor element. If your IDP's metadata contains this element, extract the contained EntityDescriptor element and try again.


FAQs

My organization uses an identity service provider (IDP) that's not in the list above. Will it be supported?

If your IDP provides a SAML metadata URL for dynamic configuration, you can follow the same setup steps as above. Please contact our support team for SAML configuration assistance for other IDPs.

How does Notion SAML SSO handle user provisioning?

Notion also offers Just-in-Time (JIT) provisioning if you enable Automatically create accounts on sign in in your SAML SSO settings.

Does enforcing SAML SSO log out users?

No, active user sessions stay logged in until they expire. The next time a user needs to log in, they will need to log in with SAML SSO.

Does Notion SAML SSO support Single Logout?

Not at this time. If Single Logout is important to you, please contact our support team to let us know.

Can I still log in to Notion if my identity provider is out of service?

Yes, even with SAML enforced, Notion administrators have the option to log in with email. Thereafter, an administrator can change the SAML configuration to disable Enforce SAML so users may log in with email again.

Can I still log in to Notion if my identity provider is out of service?

Yes, even with SAML enforced, Notion administrators have the option to log in with email. Thereafter, an administrator can change the SAML configuration to disable Enforce SAML so users may log in with email again.

Are profile photos transmitted to Notion from the IDP?

Yes, profilePhoto is an optional custom attribute. You may assign this attribute to a corresponding attribute in your IDP, provided the attribute contains the URL to an image. If the profilePhoto field is set, this image will replace the avatar in Notion when the user signs in using SAML SSO.

Still have more questions? Send us a message

Give Feedback

Was this resource helpful?


Up Next

Provision users & groups with SCIM

You can provision and manage users and groups in your Notion workspace with the System for Cross-domain Identity Management (SCIM) API standard 🔑

Powered by Fruition