Set up single-sign on with SAML

Last updated:

Single sign-on (SSO) gives your organization a centralized and secure way of controlling access to Zapier. In simple terms, this means that a single set of credentials can be used to access several different applications, such as Zapier, which is especially useful in a corporate setting.

SSO with SAML uses the secure and widely adopted industry-standard SAML 2.0 (Security Assertion Markup Language), which means that you can use it to integrate easily with any large identity provider that supports this protocol.


Single sign-on with SAML is only available for users on Zapier's Companies plan.

1. Configuring SSO with SAML

We use SAML 2.0 which means you can use any identity provider that supports this protocol. We've partnered with a couple of identity providers in offering third party connectors to Zapier, such as:

Okta: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Zapier.html

We support both Zapier initiated SAML SSO and identity provider-initiated SAML SSO, which means that you can connect from your identity provider of choice directly into Zapier. On top of that, we are able to provision users using Just in Time provisioning (JIT).

Additionally, you can also use Single Logout when configuring SAML SSO, so that when you log out of your identity provider, you can also be logged out from Zapier and vice-versa (the exact details and support depends on your identity provider of choice, as some of them do not support identity provider-initiated Single Logout).

2. Set up a custom SAML configuration

  • Set up your identity provider.
  • Sign in to Zapier with your owner account.
  • Go to your single sign-on settings.
  • Fill the Entity ID, SSO URL and Certificate fields with the value provided by your Identity Provider.
    • The Entity ID is usually the Identity Provider issuer.
    • The SSO URL is the Identity Provider's Single Sign-On URL
    • The Certificate is the X.509 certificate offered by your Identity Provider.

SAML Identify Provider settings

  • If you want to enable Single Logout we support:
    • Identity Provider initiated Single Logout
    • Zapier initiated Single Logout
    • Signed and Unsigned Single Logout.
  • Make sure that Email, First Name, and Last Name fields are filled with the values that your identity provider is sending.
    • The Email to be sent as the NameID should be in the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    • If your identity provider does not send the NameID in this format, you can send an additional value, which you can fill in the Email field from this configuration page.
    • First Name and Last Name can be sent along SAML assertions. Fill the names of those values in the aforementioned fields, so that Zapier knows what values to use for first name and last name.

3. Test your SAML configuration

Before turning SSO for your entire organization, use Test SAML configuration from the Service Provider configuration to make sure that your connection is working. If the connection is working, you will be taken to your Identity Provider, authenticated and redirected to a page containing the SAML response received from the identity provider.

Testing SAML

Successful SAML test

4. Enable SAML single sign-on

Once you have tested your configuration and are confident that SSO is working, switch Enable SAML login from no to yes. This will force all your team members to log in with SAML SSO instead of their username/password.

Enabling SAML Single Sign On

5. Notify your team

Zapier can send instructions on how to log in via SAML Single Sign On to your team. To send click the Send Email button from the Identity Provider Configuration section. This will send to your team members the following email:

Notifying your Team - SAML Single Sign On

6. Additional technical information

The following technical implementation details might help you configuring your identity provider and Zapier to work correctly in sync:

  • We use SAML 2.0 with HTTP Redirect Binding for SP to IdP (Zapier to the identity provider) and we expect HTTP POST binding for IdP to SP.
  • The Consumer URL is the post-back URL (also called Assertion Consumer Service URL). It is namespaced by a tenant identifier unique to your organization. You can also use the Tenant Identifier for configuring third-party connectors from identity providers app catalogs.
  • We require the NameID to contain the user's email address. Technically we are looking for the format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • We support both signed and unsigned Single Logout. For the signed Single Logout, you need to communicate the Single Logout Certificate to your Identity Provider. You can find it in the Service Provider configuration section, after configuring an identity provider in Zapier.
  • For the email, first and last name we look for the following values sent with SAML assertions. This also includes the email when the NameID does not correspond to the aforementioned format. If the following values are not given, make sure to configure your identity provider so that it sends them to us. You can use the optional configuration mapping to map custom attributes to corresponding expected attribute names:
  • For First Name, we look by default for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname or urn:oid:
  • For Last Name, we look by default for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname or urn:oid:
  • For Email, we look by default for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, if the NameID is not in the email format.

7. Use custom SAML connectors - OneLogin

We highly recommend using OneLogin's published Zapier SAML app, but if you can't for some reason, here are some instructions to help you configure a new custom app:

  • Go to Company Apps and add a SAML connector.
  • Once saved as a company app, you can start configuring the SAML connection.
  • Go to SSO tab, where you can see the OneLogin's specific SSO fields.
  • Copy Issuer URL into Zapier's Entity ID field.
  • Copy SAML 2.0 Endpoint into Zapier's SSO URL field.
  • If you want to enable Single Logout, copy SLO endpoint into Zapier's SLO URL field.
  • Copy the X.509 certificate into Zapier's Certificate field.
  • Don't enable the Zapier's SAML connector yet, leave it as no.
  • Save the SAML connector by clicking the Save button. Once you've done this, Zapier's specific configuration will be available.
  • Back to OneLogin Copy Zapier's Audience value into OneLogin
  • Copy Zapier's Consumer URL into OneLogin's Recipient and ACS (Consumer) URL fields.
  • If you need Single Logout, copy Zapier's Single Logout URL into the eponymous field from OneLogin.
  • Save your OneLogin's configuration and assign some users for testing purposes before enabling for all users.
  • Once that's done, test the SAML integration by clicking Zapier's Test SAML configuration button found below the Service Provider configuration section.

8. Use custom SAML connectors - Okta

We highly recommend using Okta's published Zapier SAML app, but if you can't for some reason, here are some instructions to help you configure a new custom app:

  • Create a new SAML 2.0 custom app from /admin/apps/add-app.
  • Give to the app a name and a logo, if needed.
  • Add https://zapier.com to Single Sign-On URL and Audience URI in Okta and click Next, followed by Finish.
  • Now you have access to Okta's SAML values. Click View Setup Instruction from Sign-On tab, which will open a separate page with SAML values.
  • Copy Okta's Identity Provider Single Sign-On URL into Zapier's SSO URL field.
  • Copy Okta's Identity Provider Issuer into Zapier's Entity ID field.
  • Copy X.509 certificate into Zapier's Certificate field.
  • Provide additional configuration such as Single Logout or additional attribute mapping.
  • Save Zapier's SAML configuration by clicking the Save button. Make sure not to enable it right now, as it will result in your team members being locked out of their accounts since the SAML configuration is not ready yet.
  • In Okta, go to the General tab and click Edit on SAML Settings section.
  • Fill Single Sign On URL, Audience URL with the values provider by Zapier's SAML configuration.
  • Also make sure to set NameID format to EmailAddress.
  • With Show Advanced Settings you have the choice of configuring Single Logout. Okta supports only signed Single Logout and SP initiated logout (that is, when you log out of your Zapier account, you will also be logged out of Okta)
  • Before enabling the SAML configuration in Zapier, make sure to test it with Test SAML configuration.
  • Enable the configuration when you are done and make sure to notify your team members about the change.

9. Use custom SAML connectors - G-Suite

  • In your Google admin console, create a custom SAML application.
  • In Zapier, go to your Single Sign On settings and click the SAML Identity Provider tab.
  • Copy the SSO URL, Entity ID, and Certificate values in Google and paste them into the corresponding fields in Zapier.
  • In Google, click Continue.
  • In Zapier, click the Service Provider tab.
  • Copy Zapier’s Consumer URL value and paste it in Google’s ACS URL field.
  • Copy Zapier’s Audience value and paste it in Google’s Entity ID field.
  • Copy Zapier’s SP SSO URL value and paste it in Google’s Start URL field.
  • In Google, select Email from the Name ID format dropdown menu.
  • In Google, select Basic Information > Primary Email from the Name ID dropdown menu. Click Continue.
  • In Google, the attributes section is optional.
  • To add attributes, return to the SAML Identity Provider tab in Zapier.
  • Copy the URLs from the corresponding fields in Zapier to the corresponding attributes in Google.
  • In Google, Click Continue.
  • Select the custom SAML app that you created.
  • In the User Access section, click View Details.
  • Click On for everyone to enable your custom SAML app.
  • In Zapier, click the *Enable SAML login toggle switch to turn it on.
  • Click Save changes.

10. Use custom SAML connectors - Azure Active Directory

Create a new SAML Application in Azure AD

  • In the Azure Portal, select Enterprise Applications and click New application.
  • Click Non-gallery application.
  • Go to the Manage menu and click Single sign-on.
  • Click SAML and then click the pencil icon to edit the basic SAML configuration.
  • Using the information provided on the Service Provider tab in Zapier, complete the following fields:
    • In the Identifier (Entity ID) box, paste the Audience URL from Zapier.
    • In the Reply URL (Assertion Consumer Service URL) box, paste the Consumer URL from Zapier.
    • In the Sign on URL box, paste the SP SSO URL from Zapier.
    • In the Logout Url box, paste the Single Logout Url.

Set up Zapier SAML Identity Provider tab

  • In the SAML Signing Certificate section in Azure AD, click Download to download the Certificate (Base64) and save it on your computer.
  • In your Zapier account, paste the contents of the file to the Certificate field under the SAML Identity Provider tab in Zapier.
  • Set up the Zapier SAML Identity Provider tab:
    • In Zapier’s SSO URL field, paste the Login URL.
    • In Zapier’s Entity ID field, paste the Azure AD Identifier.
    • (Optional) In Zapier’s Identity Provider Single Logout Url, paste the Logout URL.
  • Make sure you've added an Azure AD test user, then test the Zapier Application in Azure.
  • Toggle the Enable SAML login button and click Save Changes.

11. Use app catalog connectors

We partnered with the most popular identity providers in offering easy to use SAML connectors to Zapier. For now the following identity providers are supported out of the box, while others can also be used as long they support SAML 2.0:

You can use your tenant identifier, which is a unique ID specific to your configuration, for configuring SAML between those identity providers and Zapier.

12. What happens after SAML SSO is enabled

After finishing setting up your SAML Identity Provider, you can decide to send a notification to each member, letting them know about the change. The email will prompt the members to connect their accounts with your identity provider. All members signing in to Zapier will be prompted to log in with the identity provider instead of their username / password combo. Another side effect of SAML SSO is that two factor authentication will be disabled for your account, as it should be enabled in your identity provider instead.

13. Remove SAML single sign-on

If you need to remove SAML SSO, you should know that your users will need a Zapier account password to log in.

  • Users who had a password on their Zapier account before SAML SSO was enabled will use that to log in.
  • Users who joined after enabling SAML SSO will need to reset their password when they try to log in.

14. Common errors

The response was received at ''instead of''

This indicates that there is a disconnect between what the identity provider expects for Recipient value and what Zapier sends. The recipient is the Assertion Consumer URL most of the time. Also do make sure if you have additional slashes, as that might affect this error as well.

'' is not a valid audience for this Response

Make sure that the Audience value from Zapier matches with the one from your identity provider.

SAML login failed: the email needs to be provided.

This indicates that the NameID was not sent in the format expect by us. Additionally no email value was sent from the identity provider. If your identity provider is sending an email value along with the SAML assertions, do make sure to save that mapping on Zapier's side as well.

Found different email address than the one that started the flow

Indicates that the SAML SSO flow started with a different email address than the one sent by the identity provider. It might be possible that you are logged in your identity provider with a different username, make sure to log out before trying again.

If you get an unmentioned error, there might be some misconfiguration between your identity provider and Zapier. Double check those before trying again.

15. Frequently asked questions

Can I enable two-factor authentication with SAML SSO?

You cannot enable two-factor authentication on Zapier once SAML SSO is enabled. You need to configure your identity provider to have two-factor authentication.

Can I use my username / password to log in?

No, you will need to use SAML SSO for login. Your username/password and Google SSO will no longer work once you enable SAML SSO.

Can I enable SAML SSO if I cannot verify my domains?

Yes, you can enable SAML SSO without needing to verify a domain. Unfortunately user provisioning will need a verified domain, so you cannot provision users automatically until you verify one or multiple domains.

I have multiple domains and users with multiple domain emails. If I turn on SSO for one of the domains, will users still be able to log in if they’re not on that specific domain?

Zapier’s SAML system has two requirements:

  • Does the account you’re trying to access require SAML authentication?
  • Is the domain in your email owned by that account?

Users can set up their identity provider according to their own preferences. However, they might be locked out if they enable SAML on their account and it has members from other domains that were not configured on the identity provider.

Can I change Zapier's default session timeout?

You can configure a custom session timeout limit in your own identity provider. Zapier will use that session timeout length if it's shorter than Zapier’s default session timeout length (7 days). If it's longer than 7 days then Zapier will use its own default instead.

Need More Help?

Contact Support

Tell us about your problem, and we’ll find you a solution or you can email support.
Get Help

Hire an Expert

We have a directory of professionals across the globe who are ready to help.
Find a Zapier Expert

Zapier Community

Connect with other Zapier users and industry professionals to get help crafting the perfect workflow.
Check out the community

Zapier University

Video courses designed to help you become a better Zapier user, whether you’re a beginner or more experienced.
View courses