Help

Set up single-sign on with SAML

Last updated:

Single sign-on (SSO) gives your organization a centralized and secure way of controlling access to Zapier. In simple terms, this means that a single set of credentials can be used to access several different applications, such as Zapier, which is especially useful in a corporate setting.

SSO with SAML uses the secure and widely adopted industry-standard SAML 2.0 (Security Assertion Markup Language), which means that you can use it to integrate easily with any large identity provider that supports this protocol.

Note

Single sign-on with SAML is only available for users on Zapier's Companies plan.


1. Configuring SSO with SAML

We use SAML 2.0 which means you can use any identity provider that supports this protocol. We've partnered with a couple of identity providers in offering third party connectors to Zapier, such as:

OneLogin
Okta: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Zapier.html

We support both Zapier initiated SAML SSO and identity provider-initiated SAML SSO, which means that you can connect from your identity provider of choice directly into Zapier. On top of that, we are able to provision users using Just in Time provisioning (JIT).

Additionally, you can also use Single Logout when configuring SAML SSO, so that when you log out of your identity provider, you can also be logged out from Zapier and vice-versa (the exact details and support depends on your identity provider of choice, as some of them do not support identity provider-initiated Single Logout).


2. Set up a custom SAML configuration

  • Set up your identity provider.
  • Sign in to Zapier with your owner account.
  • Go to your single sign-on settings.
  • Fill the Entity ID, SSO URL and Certificate fields with the value provided by your Identity Provider.
    • The Entity ID is usually the Identity Provider issuer.
    • The SSO URL is the Identity Provider's Single Sign-On URL
    • The Certificate is the X.509 certificate offered by your Identity Provider.

SAML Identify Provider settings

  • If you want to enable Single Logout we support:
    • Identity Provider initiated Single Logout
    • Zapier initiated Single Logout
    • Signed and Unsigned Single Logout.
  • Make sure that Email, First Name, and Last Name fields are filled with the values that your identity provider is sending.
    • The Email to be sent as the NameID should be in the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    • If your identity provider does not send the NameID in this format, you can send an additional value, which you can fill in the Email field from this configuration page.
    • First Name and Last Name can be sent along SAML assertions. Fill the names of those values in the aforementioned fields, so that Zapier knows what values to use for first name and last name.

3. Test your SAML configuration

Before turning SSO for your entire organization, use Test SAML configuration from the Service Provider configuration to make sure that your connection is working. If the connection is working, you will be taken to your Identity Provider, authenticated and redirected to a page containing the SAML response received from the identity provider.

Testing SAML

Successful SAML test


4. Enable SAML single sign-on

Once you have tested your configuration and are confident that SSO is working, switch Enable SAML login from no to yes. This will force all your team members to log in with SAML SSO instead of their username/password.

Enabling SAML Single Sign On


5. Notify your team

Zapier can send instructions on how to log in via SAML Single Sign On to your team. To send click the Send Email button from the Identity Provider Configuration section. This will send to your team members the following email:

Notifying your Team - SAML Single Sign On


6. Additional technical information

The following technical implementation details might help you configuring your identity provider and Zapier to work correctly in sync:

  • We use SAML 2.0 with HTTP Redirect Binding for SP to IdP (Zapier to the identity provider) and we expect HTTP POST binding for IdP to SP.
  • The Consumer URL is the post-back URL (also called Assertion Consumer Service URL). It is namespaced by a tenant identifier unique to your organization. You can also use the Tenant Identifier for configuring third-party connectors from identity providers app catalogs.
  • We require the NameID to contain the user's email address. Technically we are looking for the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • We support both signed and unsigned Single Logout. For the signed Single Logout, you need to communicate the Single Logout Certificate to your Identity Provider. You can find it in the Service Provider configuration section, after configuring an identity provider in Zapier.
  • For the email, first and last name we look for the following values sent with SAML assertions. This also includes the email when the NameID does not correspond to the aforementioned format. If the following values are not given, make sure to configure your identity provider so that it sends them to us. You can use the optional configuration mapping to map custom attributes to corresponding expected attribute names:
  • For First Name, we look by default for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname or urn:oid:2.5.4.42.
  • For Last Name, we look by default for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname or urn:oid:2.5.4.4.
  • For Email, we look by default for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, if the NameID is not in the email format.

7. Use custom SAML connectors - OneLogin

We highly recommend using OneLogin's published Zapier SAML app, but if you can't for some reason, here are some instructions to help you configure a new custom app:

  • Go to Company Apps and add a SAML connector.
  • Once saved as a company app, you can start configuring the SAML connection.
  • Go to SSO tab, where you can see the OneLogin's specific SSO fields.
  • Copy Issuer URL into Zapier's Entity ID field.
  • Copy SAML 2.0 Endpoint into Zapier's SSO URL field.
  • If you want to enable Single Logout, copy SLO endpoint into Zapier's SLO URL field.
  • Copy the X.509 certificate into Zapier's Certificate field.
  • Don't enable the Zapier's SAML connector yet, leave it as no.
  • Save the SAML connector by clicking the Save button. Once you've done this, Zapier's specific configuration will be available.
  • Back to OneLogin Copy Zapier's Audience value into OneLogin
  • Copy Zapier's Consumer URL into OneLogin's Recipient and ACS (Consumer) URL fields.
  • If you need Single Logout, copy Zapier's Single Logout URL into the eponymous field from OneLogin.
  • Save your OneLogin's configuration and assign some users for testing purposes before enabling for all users.
  • Once that's done, test the SAML integration by clicking Zapier's Test SAML configuration button found below the Service Provider configuration section.

8. Use custom SAML connectors - Okta

We highly recommend using Okta's published Zapier SAML app, but if you can't for some reason, here are some instructions to help you configure a new custom app:

  • Create a new SAML 2.0 custom app from /admin/apps/add-app.
  • Give to the app a name and a logo, if needed.
  • Add https://zapier.com to Single Sign-On URL and Audience URI in Okta and click Next, followed by Finish.
  • Now you have access to Okta's SAML values. Click View Setup Instruction from Sign-On tab, which will open a separate page with SAML values.
  • Copy Okta's Identity Provider Single Sign-On URL into Zapier's SSO URL field.
  • Copy Okta's Identity Provider Issuer into Zapier's Entity ID field.
  • Copy X.509 certificate into Zapier's Certificate field.
  • Provide additional configuration such as Single Logout or additional attribute mapping.
  • Save Zapier's SAML configuration by clicking the Save button. Make sure not to enable it right now, as it will result in your team members being locked out of their accounts since the SAML configuration is not ready yet.
  • In Okta, go to the General tab and click Edit on SAML Settings section.
  • Fill Single Sign On URL, Audience URL with the values provider by Zapier's SAML configuration.
  • Also make sure to set NameID format to EmailAddress.
  • With Show Advanced Settings you have the choice of configuring Single Logout. Okta supports only signed Single Logout and SP initiated logout (that is, when you log out of your Zapier account, you will also be logged out of Okta)
  • Before enabling the SAML configuration in Zapier, make sure to test it with Test SAML configuration.
  • Enable the configuration when you are done and make sure to notify your team members about the change.

9. Use app catalog connectors

We partnered with the most popular identity providers in offering easy to use SAML connectors to Zapier. For now the following identity providers are supported out of the box, while others can also be used as long they support SAML 2.0:

You can use your tenant identifier, which is a unique ID specific to your configuration, for configuring SAML between those identity providers and Zapier.


10. What happens after SAML SSO is enabled

After finishing setting up your SAML Identity Provider, you can decide to send a notification to each member, letting them know about the change. The email will prompt the members to connect their accounts with your identity provider. All members signing in to Zapier will be prompted to log in with the identity provider instead of their username / password combo. Another side effect of SAML SSO is that two factor authentication will be disabled for your account, as it should be enabled in your identity provider instead.


11. Remove SAML single sign-on

If you need to remove SAML SSO, you should know that your users will need a Zapier account password to log in.

  • Users who had a password on their Zapier account before SAML SSO was enabled will use that to log in.
  • Users who joined after enabling SAML SSO will need to reset their password when they try to log in.

12. Common errors

The response was received at ''instead of ''

This indicates that there is a disconnect between what the identity provider expects for Recipient value and what Zapier sends. The recipient is the Assertion Consumer URL most of the time. Also do make sure if you have additional slashes, as that might affect this error as well.

'' is not a valid audience for this Response

Make sure that the Audience value from Zapier matches with the one from your identity provider.

SAML login failed: the email needs to be provided.

This indicates that the NameID was not sent in the format expect by us. Additionally no email value was sent from the identity provider. If your identity provider is sending an email value along with the SAML assertions, do make sure to save that mapping on Zapier's side as well.

Found different email address than the one that started the flow

Indicates that the SAML SSO flow started with a different email address than the one sent by the identity provider. It might be possible that you are logged in your identity provider with a different username, make sure to log out before trying again.

If you get an unmentioned error, there might be some misconfiguration between your identity provider and Zapier. Double check those before trying again.


13. Frequently asked questions

Can I enable two-factor authentication with SAML SSO?

You cannot enable two-factor authentication on Zapier once SAML SSO is enabled. You need to configure your identity provider to have two-factor authentication.

Can I use my username / password to log in?

No, you will need to use SAML SSO for login. Your username/password and Google SSO will no longer work once you enable SAML SSO.

Can I enable SAML SSO if I cannot verify my domains?

Yes, you can enable SAML SSO without needing to verify a domain. Unfortunately user provisioning will need a verified domain, so you cannot provision users automatically until you verify one or multiple domains.

If you have any trouble setting up your single sign-on with SAML, contact Zapier support for further assistance.


Need More Help?

Contact Support

Tell us about your problem, and we’ll find you a solution or you can email support.
Get Help

Hire an Expert

We have a directory of professionals across the globe who are ready to help.
Find a Zapier Expert

Zapier Community

Connect with other Zapier users and industry professionals to get help crafting the perfect workflow.
Check out the community