--- title: "Single sign-on (SAML SSO)" slug: "single-sign-on-saml-sso" description: "Integrate Userflow with your identity provider for secure SAML SSO sign-ins. Simplify access for your team with easy setup and management." updated: 2025-07-23T20:36:44Z published: 2025-07-23T20:36:44Z --- > ## Documentation Index > Fetch the complete documentation index at: https://help.userflow.com/llms.txt > Use this file to discover all available pages before exploring further. # Single sign-on (SAML SSO) Integrating Userflow with your identity provider (such as Okta or OneLogin) makes signing in simple and secure for your team. > [!NOTE] > Important > > SAML SSO is only available as an add-on to Pro or as a part of Userflow’s Enterprise plan ([see plans](https://userflow.com/pricing)). Once SSO is enabled, Userflow’s sign-in form will automatically detect your domain and let your users sign in via your identity provider. ![SSO sign-in](https://cdn.us.document360.io/9697557a-eb5d-476f-9b09-062b0f7bdcbd/Images/Documentation/sign-in-form.png) ### Setup instructions #### Step 1: Obtain your Customer ID from Userflow Send an email to [support@userflow.com](mailto:support@userflow.com) with the following information: - Indicate that you wish to enable SAML SSO for your Userflow team - Your company name - Domain(s) your users sign in with We’ll get back to you (typically within 24 hours) with your *Customer ID*, which you need to complete the following steps. #### Step 2: Configure your identity provider #### Okta - For easy setup with Okta, refer to ['How to Configure SAML 2.0 for Userflow in Okta'](https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Userflow.html). #### Generic SAML identity provider Make sure to replace `CUSTOMER_ID` with the value Userflow provided. - **Single sign**-**on URL / SAML ACS URL:** `https://userflow.com/sso/sp/consume/CUSTOMER_ID` - **Audience URI / SP Entity ID:** userflow - **Default RelayState:** `https://userflow.com/app` - **Name ID format:** EmailAddress - **Application username:** Email - **Signed Assertions:** Yes - **Encryption**: Preferred. Use AES256-CBC with [this certificate](/userflow/docs/single-sign-on-saml-sso#userflows-saml-certificate) - **Single Logout URL:** `https://userflow.com/sso/sp/logout/CUSTOMER_ID` - **SP Issuer:** userflow - **Signature Certificate:** Use [this certificate](/userflow/docs/single-sign-on-saml-sso#userflows-saml-certificate) - **Mapped Attributes** - `email`: User’s email - `firstName`: User’s first name - `lastName`: User’s last name #### Step 3: Send Identity Provider metadata XML file to Userflow - Download your identity provider’s Identity Provider metadata XML file and send it to [support@userflow.com](mailto:support@userflow.com). - We’ll complete the setup for you and notify you once SSO is enabled for your domain(s). ### Working with SSO #### Existing users with passwords - Users who were registered in Userflow before you enabled SSO can sign in either via SSO or using their old password. - Contact us to disable password access for specific users after SSO is set up. #### Adding members to your Userflow team - You can invite new members to your Userflow team from **Settings > Team**. They’ll receive an invite link. The invite page automatically detects that SSO is available. Once they sign in via SSO, they’ll have access to your team. - You can also add team members outside of your Identity Provider organization. These users can create regular Userflow user accounts using password sign-in. #### Just-in-time (JIT) user provisioning - When a new user, whom Userflow hasn’t seen before, signs in via SSO, Userflow automatically creates an account for them. - The new user will NOT get access to your Userflow team, however. They still need an explicit invite. #### User de-provisioning - When users are deactivated or removed in your Identity Provider, they are not automatically removed from your Userflow team. - However, since users who do not use passwords must sign in via SSO, once you remove their authorization in your Identity Provider, they will no longer be able to access your Userflow team (once their current session, if any, expires after 30 minutes of inactivity). - To be sure, you can always remove team members in Userflow from **Settings > Team**. ### Userflow’s SAML certificate If you configure your Identity Provider manually, you’ll need this certificate to enable encryption and Single Logout. You can either [download the certificate](https://app.userflow.com/downloads/userflow-saml-cert.pem) or copy it from here: ```plaintext -----BEGIN CERTIFICATE----- MIIDVjCCAj6gAwIBAgIUCtL81BwLSLWkeW9xPX5SlA4kyEwwDQYJKoZIhvcNAQEL BQAwMDEWMBQGA1UEAwwNVXNlcmZsb3cgU0FNTDEWMBQGA1UECgwNVXNlcmZsb3cs IEluYzAeFw0yNTAxMDYwNTExMzlaFw0zMDAxMDUwNTExMzlaMDAxFjAUBgNVBAMM DVVzZXJmbG93IFNBTUwxFjAUBgNVBAoMDVVzZXJmbG93LCBJbmMwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf41jxxETESJFF35nsTE1SDp4kz8QZ0M8J jiBQzc+9deY8pxqABTjBAHreIVLiq3CdHc411xgO6orZTLvZFalkoVkwFS4jfQE5 kU5m7+ucOq62q3ENv4CJKZaN/PTwnVEw8mTsPVb9s1nzIw+PBABJnJXNTVPOuPRN TyitzUwj+8Y0CqYK+cE8xjT+Eo0DtoBzLmWU5nkqyr1/MQUiGzvDrybJfD2XQqRe 8mbqC+JTfR48b37vTIOjIrjxYPbWRU5cjAiS0EgyGHK9SUzjuFXOKPfPic8VhShB rmmCv1FqR0I+bEdf1xSLDMbskywG5PfnLejWyjMY7hcNkCrEGLfPAgMBAAGjaDBm MB0GA1UdDgQWBBR7spJceWpV+ONY9ZkBcczRuXt2aTAfBgNVHSMEGDAWgBR7spJc eWpV+ONY9ZkBcczRuXt2aTAPBgNVHRMBAf8EBTADAQH/MBMGA1UdEQQMMAqCCHVz ZXJmbG93MA0GCSqGSIb3DQEBCwUAA4IBAQAJ0aa/fd6PpwFm3YwKcNsNhtKTplJv +Zra/pRNDaFIf55rf79Ug/527SugoWEWXysgj7az3Sz9Nc3JgWCWt+XGYAaKXBwB G64d3PDuNwfE3WP4tEeikuzTUYY89Vm/AVQcffPZDClAi/7JOSCMzRZHuUpP27eY uyq44aSkTOnnn69aKIuACv1a8dNMkOA3R8+ollgvexFI9VcnT+PMam++UVpooL+V JBeTJ01lHk9K0hqqF2fvAmcb4SanoHzkN67UOnY67GHcuTn3ACtB8E1GhZdjED9L LTRNtM8RQ3c0Yo/yjzFnzYnlm7A7vGZWmTotLlZmDn+teVTvWV1XRRcX -----END CERTIFICATE----- ``` ## Related - [Managing Teams in Userflow](/team-management.md)