1. Zapier
  2. Your Zapier account
  3. Data privacy & security

Set up single sign-on with SAML

Updated

Available on plans:

Free

Pro

Team

Enterprise

Single sign-on (SSO) is a secure way to give your team access to Zapier. It creates a single set of credentials to access multiple applications, like Zapier. SSO with Security Assertion Markup Language (SAML) uses industry-standard SAML 2.0 so you can easily integrate with any identity provider (IdP) that supports this protocol.

Zapier has partnered with several IdPs to offer third-party connectors. Zapier supports both Zapier-initiated SAML SSO and IdP-initiated SAML SSO. You can also provision users using Just-in-Time provisioning (JIT).

You can use Single Logout (SLO) when configuring SAML SSO. When enabled, if you log out of your IdP, the provider will log you out of Zapier and vice versa. Support for SLO depends on your IdP.

Pre-requirements

To set up single sign-on, you must:

Manually configure SSO with SAML Use custom SAML connectors

Manually configure SSO with SAML

1. Set up a custom SAML configuration

To set up a custom SAML configuration:

  1. Set up your IdP.
  2. Sign in to Zapier using your account owner's credentials.
  3. Go to the single sign-on settings page.
  4. In the SAML Identity Provider tab, enter the values provided by your IdP in the Entity ID, SSO URL, and Certificate fields.
    • The entity ID is usually the IdP issuer.
    • The SSO URL is the IdP's SSO URL.
    • The certificate is the X.509 certificate offered by your IdP.
  5. [Optional] To enable SLO, click to toggle the Signed Single Logout switch to enable it.
  6. Enter the corresponding values from your IdP in the Email, First Name, and Last Name fields.
    • Your IdP must format the NameID used in the Email field as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    • If your IdP doesn't format the NameID this way, you must send an additional value to use in the Email field from your IdP’s configuration page.
    • You can send first and last name along SAML assertions. Enter the names of those values in the associated fields.

2. Test your SAML configuration

Before enabling SSO for your entire organization:

  1. Click Test Configuration.
  2. If the connection is working, a new browser tab or window for your IdP will open. There, your IdP will:
    • Authenticate your account.
    • Redirect you to a page containing the SAML response received from the IdP.

Successful SAML test

3. Enable SAML single sign-on

Once you've tested your configuration and ensured SSO is working:

  1. Return to the SAML Identity Provider section.
  2. Click the Enable SAML login switch.
    • This will force all team members to log in with SAML SSO.
    • This will disable the use of username and password.
  3. Click Save changes to finalize changes.

4. Copy your single logout certificate

You will need to enter this value in your IdP.

  1. Go to the Service Provider tab.
  2. In the Single Logout Certificate field, click the copy icon. This will copy the value to your clipboard.
  3. Then paste the value into the appropriate field in your IdP.

5. Notify your team

Zapier can automatically send instructions on how to log in via SAML SSO to your team.

  1. Go to the Notify Team Members tab.
  2. Click Send Email. This will send an email to your team members.

Additional technical information

  • Zapier uses SAML 2.0 with HTTP Redirect Binding for service provider to IdP (Zapier to IdP). It requires HTTP POST binding for IdP to service provider.
  • The Consumer URL is the post-back URL, also known as the Assertion Consumer Service URL. The post-back URL is namespaced by a tenant identifier that is unique to your organization. You can also use the Tenant Identifier field for configuring third-party connections from IdP app catalogs.
  • The NameID must contain the user's email address. You must format the Name ID as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
  • Zapier supports both signed and unsigned SLO. For signed SLO, you must send the SLO URL to your IdP after configuring an IdP in Zapier. The SLO URL is found in the Service Provider tab.
  • Your IdP must send the following values with SAML assertions:
    • For first name, Zapier looks for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname or urn:oid:2.5.4.42 by default.
    • For last name, Zapier looks for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname or urn:oid:2.5.4.4 by default.
    • For email, Zapier looks for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress if the NameID is not in the email format.
    • If Zapier doesn't receive these values, you must configure your IdP to send them. You can use the optional configuration mapping to map custom attributes.

Send an email notification to members

After you enable SAML SSO, you can send an email notification to your members about the change. The email will prompt them to connect their accounts using SSO.

Configure a custom session timeout limit

If you want to change your session timeout limit, you can configure a custom session timeout limit in your IdP. Zapier will use that session timeout length if it's shorter than Zapier’s default session timeout length (7 days). If it's longer than 7 days, Zapier will use its own default instead.

Remove SAML single sign-on

If you need to remove SAML SSO:

  1. Click the Enable SAML login switch to disable it.
  2. Once it's disabled:
    • Users who had a password set up before enabling SAML SSO will use it to log in.
    • Users who joined after enabling SAML SSO must reset their password to log in.

Limitations

  • You must verify at least one domain before you can enable SAML SSO or user provisioning.
  • Zapier supports the following SLO:
    • IdP-initiated SLO.
    • Zapier-initiated SLO.
    • Signed and unsigned SLO.
  • Team trials do not have access to SSO.
  • If SSO is not available on your Team plan, you might be on a legacy plan. You must move to a current plan to have access to this feature.

After you enable SAML:

  • You cannot enable 2FA in your Zapier account. You must configure your IdP to use 2FA instead.
  • You must use SAML SSO to log in. Once you enable SAML SSO, your username and password and Google SSO will no longer work.
  • Members from other domains will be locked out if those domains are not configured in the IdP. Zapier’s SAML system checks if:
    • The account you’re trying to access requires SAML authentication.
    • The account owns the domain used in your email address.

Common errors

“The response was received at ‘'instead of'”

“The response was received at ‘'instead of'”

There is a disconnect between what the IdP expects for the recipient value and what Zapier is sending. In most cases, the recipient is the Assertion Consumer URL. Additional slashes may also cause this error.

“Is not a valid audience for this response”

“Is not a valid audience for this response”

The audience value from Zapier must match the one from your IdP.

“SAML login failed: the email needs to be provided”

“SAML login failed: the email needs to be provided”

The NameID format is incorrect or your IdP didn’t send an email value. If your IdP sends an email value with SAML assertions, you must save that mapping in Zapier.

“Found different email address than the one that started the flow”

“Found different email address than the one that started the flow”

Your SAML SSO configuration in Zapier is using a different email address than the one sent by your IdP. Ensure you're using the correct username, check your IdP and Zapier settings, then log out and log in again.

If you need additional help setting up SSO with SAML, contact Premier Support.

Was this article helpful?
2 out of 7 found this helpful

Zapier Early Access

Get access to tomorrow’s no-code automation products and features today. By opting-in to our current and future pre-release products, you’ll work directly with the Zapier product team and join a dedicated community of automation enthusiasts. Learn more about Zapier Early Access