Set up Identity Provider (IdP) for SAML SSO

Here's how to set up your Identity Provider for SAML SSO in Notion 🔑
Jump to FAQsThese are instructions for setting up Notion SAML SSO with Entra ID (formerly Azure), Google, Okta, and OneLogin. If you use a different Identity Provider and need assistance with configuration, please let us know.

Note: At this time, organizations on the Enterprise Plan can only set up SAML SSO with one IdP.
Step 1: Create a new application integration
To create a new application integration in Entra ID:
- Sign in to the Entra ID portal. On the left navigation pane, select the - Azure Active Directoryservice.
- Navigate to - Enterprise Applicationsand then select- All Applications.
- To add a new application, select - New application.
- In the - Addfrom the gallery section, type- Notionin the search box. Select Notion from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
Step 2: Create SAML Integration
To set up the SAML integration:
- In the Azure portal, on the Notion application integration page, find the - Managesection and select- Single sign-on.
- On the - Select a single sign-on methodpage, select- SAML.
Step 3: SAML settings
To configure SAML settings in Notion:
- In Notion, go to - Settings→- Generalif you’re on the Business Plan, or the- Generaltab of your organization settings if you’re on the Enterprise Plan.
- In the - Allowed email domainssection, remove all email domains.
- Select the - Identitytab in- Settingsif you're on the Business Plan, or go to your organization settings →- General→- SAML Single sign-on (SSO)if you're on the Enterprise Plan.
- Verify one or more domains. See instructions for domain verification here → 
- Toggle on - Enable SAML SSO. The- SAML SSO Configurationmodal will automatically appear and prompt you to complete the set-up.
- The SAML SSO Configuration modal is divided into two parts: - The - Assertion Consumer Service (ACS) URLneeds to be entered in your Identity Provider (IdP) portal.
- The - Identity Provider Detailsis a field in which you need to provide either an IdP URL or IdP metadata XML.
 
Step 4: Configure Notion in Entra ID
To set up in Notion in Entra ID:
- On the set up single sign-on with SAML page, click the pencil icon for - Basic SAML Configurationto edit the settings.
- On the - Basic SAML Configurationsection, if you wish to configure the application in IdP initiated mode, enter the values for the following fields:- In the - Identifier (Entity ID)text box, enter the following URL:- https://www.notion.so/sso/saml.
- In the - Reply URL (Assertion Consumer Service URL)text box, use the ACS URL from Notion, found on the- Identity & provisioningtab of- Settingsin your left-hand sidebar.
- In the - Sign on URLtext box, enter the following URL:- https://www.notion.so/login.
 
- In the - User attributes & claimssection, ensure the required claims are set to:- Unique User Identifier (Name ID): user.userprincipalname [nameid-format:emailAddress] 
- firstName: user.givenname 
- lastName: user.surname 
- email: user.mail 
 
- On the - Set up single sign-on with SAMLpage, in the- SAML Signing Certificatesection, click the copy button next to the- App Federation Metadata URL.
- In Notion, go to - Settings→- Identity, and paste the- App Federation Metadata URLvalue you copied into the- IdP metadata URL fieldtext box. Make sure- Identity Provider URLis selected.
Step 5: Assign users to Notion
To assign users to Notion:
- In the Azure portal, select - Enterprise Applications, and then select- All applications. In the applications list, select- Notion.
- In the app's overview page, find the - Managesection and select- Users and groups.
- Select - Add user, then select- Users and groupsin the- Add Assignmentdialog.
- In the - Users and groups dialog, select from the Users list, then click the- Selectbutton at the bottom of the screen.
- If you are expecting a role to be assigned to the users, you can select it from the - Select a roledropdown. If no role has been set up for this app, you see- Default Accessrole selected.
- In the - Add Assignmentdialog, click the- Assignbutton.
Step 1: Get Google identity provider (IdP) information
To get information from Google Identity Provider (IdP):
- Make sure you're signed into an administrator account to ensure your user account has the appropriate permissions. 
- In Admin Console, go to - Menu→- Apps→- Web and mobile apps.
- Enter Notion in the search field and select the Notion SAML app. 
- On the - Google Identity Providerdetails page, download the IdP metadata file.
- Open the file, - GoogleIDPMetadata.xmlin a compatible editor, then select and copy the contents of the file.
- Leave the Admin Console open. You'll continue with the configuration wizard after performing the next step in the Notion application. 
Step 2: Set up Notion as SAML 2.0 service provider
To set up Notion as a SAML service provider:
- In Notion, go to - Settings→- Generalif you’re on the Business Plan, or the- Generaltab of your organization settings if you’re on the Enterprise Plan.
- In the - Allowed email domainssection, remove all email domains.
- Select the - Identitytab in- Settingsif you're on the Business Plan, or go to your organization settings →- General→- SAML Single sign-on (SSO)if you're on the Enterprise Plan.
- Add a new domain and verify it. This should be the same as your Google Workspace domain. 
- In - SAML Single sign-on (SSO)settings, toggle the- Enable SAML SSOon. This opens the- SAML SSO Configurationdialog.
- In the dialog, do the following: - Under - Identity Provider Details, select- IDP metadata XML.
- Paste the contents of the GoogleIDPMetadata.xml file, (copied in step 1 above) into the IdP metadata XML text box. 
- Copy and save the Assertion Consumer Service (ACS) URL. You'll need this when you complete the Google-side configuration in Admin console in step 3 below. 
- Click - Save Changes.
 
- Ensure that the remaining options (Login method, Automatic account creation and Linked workspaces) contain the desired values for your configuration. 
Step 3: Finish SSO configuration in Admin Console
To complete SSO configuration in Admin Console:
- Return to the Admin Console browser tab. 
- On the - Google Identity Provider detailspage, click- Continue.
- On the - Service provider detailspage, replace the ACS URL with the ACS URL you copied from Notion in Step 2 above.
- Click - Continue.
- On the - Attribute Mappingpage, click the- Select fieldmenu and map the following Google directory attributes to their corresponding Notion attributes. Note that firstName, lastName, and email are required attributes. - Note: The profilePhoto attribute can be used to add a user photo in Notion. To use it, create a custom attribute and populate it in the user profile with the URL path to the photo, then map the custom attribute to profilePhoto. 
- If you’d like, click - Add Mappingto add any additional mappings you need.
- Click - Finish.

Note: Regardless of how many group names you enter, the SAML response will only include groups that a user is a member of (directly or indirectly). Find more information here →
Step 4: Enable the Notion app
To enable Notion:
- In the Admin console, go to - Menu→- Apps→- Web and mobile apps.
- Select - Notion.
- Click - User access.
- To turn a service on or off for everyone in your organization, click - On for everyoneor- Off for everyone, and then click- Save.
- To optionally turn a service on or off for an organizational unit, select the organizational unit and change the Service status by selecting - Onor- Off.- If the Service status is set to - Inheritedand you want to keep the updated setting, even if the parent setting changes, click- Override. If the Service status is set to- Overridden, either click- Inheritto revert to the same setting as its parent, or click- Saveto keep the new setting, even if the parent setting changes. Learn more about organizational structure.
 
- Optionally turn on the service for a group of users. Use access groups to turn on a service for specific users within or across your organizational units. Learn more here → 
- Ensure that your Notion user account email IDs match those in your Google domain. 
Step 1: Add the Notion app from Okta's application directory
To add Notion from Okta’s application directory:
- Log in to Okta as an administrator, and go to the - Okta Admin console.
- Go to the - Applicationtab, select- Browse App Catalog, and search for Notion in the Okta app catalog.
- Select the Notion app and click - Add integration.
- In the - General Settingsview, review the settings and click- Next.
- In the - Sign-on Optionsview, select the- SAML 2.0option.
- Above the - Advanced Sign-on Settingssection, click on the- Identity Providermetadata. This will open a new browser tab. Copy the link of the URL.
Step 2: Configure SAML settings in Notion
To set up Notion settings for SAML:
- In Notion, go to - Settings→- Generalif you’re on the Business Plan, or the- Generaltab of your organization settings if you’re on the Enterprise Plan.
- In the - Allowed email domainssection, remove all email domains.
- Select the - Identitytab in- Settingsif you're on the Business Plan, or go to your organization settings →- General→- SAML Single sign-on (SSO)if you're on the Enterprise Plan.
- Verify one or more domains. See instructions for domain verification here → 
- Toggle on - Enable SAML SSOand the- SAML SSO Configurationmodal will automatically appear and prompt you to complete the set-up.
- In the - Identity Provider Detailsfield of the SAML SSO Configuration model, provide the- Identity Provider URLby pasting the- Identity Provider metadataURL you copied in Step 1.
- Click - Save changes.
- In the - Identitytab, copy the- Workspace IDidentifier.
- In - Okta Admin console→- Advanced Sign-on Settingssection, paste the workspace ID in the- Organization IDtext box.
- In - Credentials details, select- Emailfrom the- Application username formatdropdown.
- Click - Done.
You'll be able to assign users and groups to Notion in the Okta - Assignments tab.

Note: If you’re planning to configure provisioning with SCIM, please do that before you configure SAML SSO.
Step 1: Create SAML integration
To create a new application integration:
- Go to - Applications→- Applicationsand select the Notion app connector you already added.- If you haven't already configured provisioning, click the - Add Appbutton, search for Notion in the search box, and select the SAML 2.0 version of Notion. Click- Save.
 
- Navigate to the - SSOtab and copy the- Issuer URLvalue. Paste it somewhere to be retrieved later.
Step 2: SAML settings
To configure SAML settings in Notion:
- In Notion, go to - Settings→- Generalif you’re on the Business Plan, or the- Generaltab of your organization settings if you’re on the Enterprise Plan.
- In the - Allowed email domainssection, remove all email domains.
- Select the - Identitytab in- Settingsif you're on the Business Plan, or go to your organization settings →- General→- SAML Single sign-on (SSO)if you're on the Enterprise Plan.
- Verify one or more domains. See instructions for domain verification here → 
- Toggle on - Enable SAML SSOand the- SAML SSO Configurationmodal will automatically appear and prompt you to complete the set-up.
- The SAML SSO Configuration modal is divided into two parts: - The - Assertion Consumer Service (ACS) URLneeds to be entered in your Identity Provider (IdP) portal.
- The - Identity Provider Detailsis a field in which you need to provide either an IdP URL or IdP metadata XML.
 
Step 3: Configure Notion app in OneLogin
To set up Notion in OneLogin:
- Copy - Assertion Consumer Service (ACS) URLfrom Notion.
- Go back to the OneLogin Administration UI. 
- Navigate to the - Configurationtab of the Notion app connector your just added to your OneLogin account.
- Paste the - Assertion Consumer Service (ACS) URLfrom Notion into the- Consumer URLtextbox.
- Click - Save.
- Go back to the Notion - Edit SAML SSOconfiguration settings.
- Paste the - Issuer URLyou copied from the- SSOtab in OneLogin URL into the- Identity Provider URLtextbox. Make sure- Identity Provider URLis selected.
For detailed documentation, visit Rippling's website here →
For detailed documentation, visit TrustLogin’s website here →
If you don't use one of Notion’s supported SAML providers, you can also configure your IdP to use SAML with Notion.
Step 1: Set up your IdP
Your IdP must support the SAML 2.0 spec to be used with Notion. To set up your IdP:
- Configure the ACS URL to the value Assertion Consumer Service (ACS) URL from Notion. You can find this in - Settings→- Identity & Provisioning→- Edit SAML SSO Configuration.
- Configure - NameIDto- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.- Similarly, configure - usernameto- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
 
- Configure - EntityIDto https://notion.so/sso/saml. You can find this in- Settings→ the bottom of- Identity & Provisioning.
- Configure the following attributes: - emailAddress: This is a user's email address. Most IdPs set this by default.
- (Optional) - firstName
- (Optional) - lastName
- (Optional) - profilePicture
 
- Copy the IdP metadata URL or IdP metadata XML for next steps. 
Step 2: Set up SAML in Notion
To set up SAML in Notion:
- In Notion, go to - Settings→- Generalif you’re on the Business Plan, or the- Generaltab of your organization settings if you’re on the Enterprise Plan.
- In the - Allowed email domainssection, add new email domains and follow the prompts to verify them. These must be email domains of your users logging into Notion.
- Select the - Identitytab in- Settingsif you're on the Business Plan, or go to your organization settings →- General→- SAML Single sign-on (SSO)if you're on the Enterprise Plan.
- In - SAML Single sign-on (SSO)settings, toggle- Enable SAML SSOon. This will open the SAML SSO Configuration dialog.
- Under - Identity Provider Details, input the IdP metadata URL or IdP metadata XML from your IdP.
- Make sure you provide your desired inputs for - Login method,- Automatic account creation, and- Linked workspaces.
To switch identity providers:
- In Notion, go to - Settings→- Generalif you’re on the Business Plan, or the- Generaltab of your organization settings if you’re on the Enterprise Plan.
- Select the - Identitytab in- Settingsif you're on the Business Plan, or go to your organization settings →- General→- SAML Single sign-on (SSO)if you're on the Enterprise Plan.
- Enter your new information, then select - Save changes.
When switching to a new IdP, we recommend that:
- SSO not be enforced during the transition, so you can minimize the risk of locking users out. 
- Email addresses for the users under your new IdP match the user’s email in Notion. 

Note: Changing identity providers does not end user sessions or deactivate users.
If you encounter errors when setting up SAML SSO, check to make sure your IdP's metadata, SAML requests and responses are valid XML against the SAML XSD schemas. You can do so using this online tool.
Note that we do not support the EntitiesDescriptor element. If your IdP's metadata contains this element, extract the contained EntityDescriptor element and try again.

Learn more
FAQs
Are profile photos transmitted to Notion from the IdP?
Are profile photos transmitted to Notion from the IdP?
Yes, profilePhoto is an optional custom attribute. You may assign this attribute to a corresponding attribute in your IdP, provided the attribute contains the URL to an image. If the profilePhoto field is set, this image will replace the avatar in Notion when the user signs in using SAML SSO.
Can I still log in to Notion if my Identity Provider (IdP) is out of service?
Can I still log in to Notion if my Identity Provider (IdP) is out of service?
Yes, even with SAML enforced, workspace owners have the option to log in with email. A workspace owner can change the SAML configuration to disable Enforce SAML so users can log in with email again.
