Set up single sign-on with SAML

Single sign-on (SSO) gives your organization a centralized, secure way to control access to Zapier. It creates a single set of credentials to access multiple applications, like Zapier. SSO with Security Assertion Markup Language (SAML) uses industry-standard SAML 2.0 so you can easily integrate with any identity provider (IdP) that supports this protocol.

miscEye icon Note

 

1. Configuring SSO with SAML

Zapier has partnered with several IdPs to offer third party connectors. Zapier supports both Zapier-initiated SAML SSO and IdP-initiated SAML SSO. You can also provision users using Just-in-Time provisioning (JIT).

You can use Single Logout (SLO) when configuring SAML SSO. When enabled, if you log out of your IdP, the provider will log you out of Zapier and vice versa. Support for SLO depends on your IdP.

 

2. Set up a custom SAML configuration

To set up a custom SAML configuration:

  • Set up your IdP.
  • Sign in to Zapier using your account owner's credentials.
  • Go to the single sign-on settings page.
  • In the SAML Identity Provider tab, enter the values provided by your IdP in the Entity ID, SSO URL, and Certificate fields.
    • The entity ID is usually the IdP issuer.
    • The SSO URL is the IdP's SSO URL.
    • The certificate is the X.509 certificate offered by your IdP.

SAML Identify Provider settings

  • [Optional] To enable SLO, click the Signed Single Logout switch.
  • Enter the corresponding values from your IdP in the Email, First Name, and Last Name fields.
    • Your IdP must format the NameID used in the Email field as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    • If your IdP doesn't format the NameID this way, you must send an additional value to use in the Email field from your IdP’s configuration page.
    • You can send first and last name along SAML assertions. Enter the names of those values in the associated fields.
miscEye icon Note

Zapier supports the following SLO:

  • IdP-initiated SLO.
  • Zapier-initiated SLO.
  • Signed and unsigned SLO.

 

3. Test your SAML configuration

Before enabling SSO for your entire organization:

  • Click Test Configuration.
  • If the connection is working, a new browser tab or window for your IdP will open. There, your IdP will:
    • Authenticate your account.
    • Redirect you to a page containing the SAML response received from the IdP.

Testing SAML

Successful SAML test

 

4. Enable SAML single sign-on

Once you've tested your configuration and ensured SSO is working:

  • Return to the SAML Identity Provider section.
  • Click the Enable SAML login switch.
    • This will force all team members to log in with SAML SSO.
    • This will disable the use of username and password.

Enabling SAML Single Sign On

 

5. Notify your team

Zapier can automatically send instructions on how to log in via SAML SSO to your team.

  • Go to the Notify Team Members tab.
  • Click Send Email. This will send the following email to your team members:

Notifying your Team - SAML Single Sign On

 

Additional technical information

  • Zapier uses SAML 2.0 with HTTP Redirect Binding for service provider to IdP (Zapier to IdP). It requires HTTP POST binding for IdP to service provider.
  • The Consumer URL is the post-back URL, also known as the Assertion Consumer Service URL. The post-back URL is namespaced by a tenant identifier that is unique to your organization. You can also use the Tenant Identifier field for configuring third-party connections from IdP app catalogs.
  • The NameID must contain the user's email address. You must format the Name ID as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
  • Zapier supports both signed and unsigned SLO. For signed SLO, you must send the SLO URL to your IdP after configuring an IdP in Zapier. The SLO URL is found in the Service Provider tab.
  • Your IdP must send the following values with SAML assertions:
    • For first name, Zapier looks for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname or urn:oid:2.5.4.42 by default.
    • For last name, Zapier looks for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname or urn:oid:2.5.4.42 by default.
    • For email, Zapier looks for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name if the NameID is not in the email format.
    • If Zapier doesn't receive these values, you must configure your IdP to send them. You can use the optional configuration mapping to map custom attributes.

 

Use custom SAML connectors - OneLogin

If using OneLogin, Zapier recommends using the published Zapier SAML app for OneLogin. If you need to configure a custom app:

  • In OneLogin, go to Company Apps and add a SAML connector.
  • Go to the SSO tab.
    • Copy the Issuer URL value and paste it into Zapier's Entity ID field.
    • Copy the SAML 2.0 Endpoint value and paste it into Zapier's SSO URL field.
    • [Optional] To enable SLO, copy the SLO endpoint value and paste it into Zapier's SLO URL field.
    • Copy the X.509 certificate value and paste it into Zapier's Certificate field.
  • In Zapier, you must not enable the Zapier's SAML connector yet. The Enable SAML login switch must remain disabled.
  • Save the SAML connector by clicking Save Changes. In OneLogin you will see Zapier's specific configuration appear.
    • In Zapier, copy the Audience value and paste it into OneLogin.
    • In Zapier, copy the Consumer URL value and paste it into OneLogin's Recipient and ACS (Consumer) URL fields.
    • [Optional] To enable SLO, copy Zapier's Single Logout URL value and paste it into the corresponding field in OneLogin.
  • Save your OneLogin configuration.
  • Assign test users to test your configuration before enabling it for all users.
  • Test the SAML integration by clicking Test Configuration in Zapier.
  • Once testing is complete, click Enable SAML login to enable your configuration.
Note

If first name and last name fields are shown, you must enter:

  • firstname in the first name field and
  • lastname in the last name field.

 

Use custom SAML connectors - Okta

If using Okta, Zapier recommends using the published Zapier SAML app for Okta. Follow these instructions to configure a custom app.
miscEye icon Note

Okta only supports signed SLO and service provider-initiated SLO.

 

Use custom SAML connectors - G-Suite

  • In your Google admin console, create a custom SAML application.
    • Copy the SSO URL, Entity ID, and Certificate values.
    • Go to the SAML Identity Provider tab in the single sign-on page in Zapier and paste the Google values into the corresponding fields in Zapier.
    • In Google, copy the SSO URL, Entity ID, and Certificate values and paste them into the corresponding fields in Zapier.
  • In Google, click Continue.
  • In Zapier, click the Service Provider tab.
    • Copy the Consumer URL value and paste it into Google’s ACS URL field.
    • Copy the Audience value and paste it into Google’s Entity ID field.
    • Copy the SP SSO URL value and paste it into Google’s Start URL field.
  • In Google, select Email from the Name ID format dropdown menu.
  • In Google, select Basic Information > Primary Email from the Name ID dropdown menu.
  • Click Continue.
    -[Optional] Add attributes in Google.
    • Return to the SAML Identity Provider tab in Zapier.
    • Copy and paste the URLs from the corresponding fields in Zapier to the corresponding attributes in Google.
  • In Google, click Continue.
  • Select the custom SAML app that you created.
  • In the User Access section, click View Details.
  • Click On for everyone to enable your custom SAML app.
  • Test the SAML integration by clicking Test Configuration in Zapier.
  • Once testing is complete, click Enable SAML login to enable your configuration.

 

Use custom SAML connectors - Microsoft Entra

  • In the Entra portal, select Enterprise Applications, then click New application.
  • Click Non-gallery application.
  • In the Manage menu, click Single sign-on.
  • Click SAML, then click the pencil icon to edit the basic SAML configuration.
  • Using the information provided in the Service Provider tab in Zapier, enter the following fields:
    • In the Identifier (Entity ID) field, paste the Audience URL value from Zapier.
    • In the Reply URL (Assertion Consumer Service URL) field, paste the Consumer URL value from Zapier.
    • In the Sign on URL field, paste the SP SSO URL value from Zapier.
    • In the Logout URL field, paste the Single Logout Url value from Zapier.
  • In the SAML Signing Certificate section in Entra, click Download to download the Certificate (Base64).
  • In the SAML Identity Provider tab in Zapier:
    • In the Certificate field, paste the file contents from Entra.
    • In the SSO URL field, paste the Login URL from Entra.
    • In the Entity ID field, paste the Entra Identifier from Entra.
    • [Optional] In the IdP Single Logout Url field, paste the Logout URL from Entra.
  • Add an Entra test user, then test the Zapier application in Entra.
  • Test the SAML integration by clicking Test Configuration in Zapier.
  • Once testing is complete, click Enable SAML login to enable your configuration.

 

Use app catalog connectors

Zapier recommends using the published Zapier SAML app for OneLogin or the published Zapier SAML app for Okta.

You can use other IdPs if they support SAML 2.0. Use your tenant identifier (a unique ID specific to your configuration) to configure SAML with other IdPs.

 

What happens after SAML SSO is enabled

After you enable SAML SSO:

  • You can send an email notification to your members about the change. The email will prompt them to connect their accounts using SSO.
  • All members who sign in to Zapier must connect their accounts using SSO instead of username and password.
  • Zapier disables two-factor authentication (2FA) for your account.

 

Remove SAML single sign-on

If you need to remove SAML SSO:

  • Click the Enable SAML login switch to disable it.
  • Once it's disabled:
    • Users who had a password set up before enabling SAML SSO will use it to log in.
    • Users who joined after enabling SAML SSO must reset their password to log in.

 

Common errors

“The response was received at ‘'instead of'”

There is a disconnect between what the IdP expects for the recipient value and what Zapier is sending. In most cases, the recipient is the Assertion Consumer URL. Additional slashes may causes this error as well.

“Is not a valid audience for this response”

The audience value from Zapier must match the one from your IdP.

“SAML login failed: the email needs to be provided”

The NameID format is incorrect or your IdP didn’t send an email value. If your IdP sends an email value with SAML assertions, you must save that mapping in Zapier.

“Found different email address than the one that started the flow”

Your SAML SSO configuration in Zapier is using a different email address than the one sent by your IdP. Ensure you're using the correct username, check your IdP and Zapier settings, then log out and log in again.

 

Frequently asked questions

Can I enable 2FA with SAML SSO?

No, you can’t enable 2FA in your Zapier account once SAML SSO is enabled. You must configure your IdP to use 2FA instead.

Can I use my username and password to log in?

No, you will need to use SAML SSO to log in. Your username and password and Google SSO will no longer work once you enable SAML SSO.

Can I enable SAML SSO if I cannot verify my domains?

No, you must verify at least one domain before you can enable SAML SSO or user provisioning.

I have multiple domains and users with multiple domain emails. If I turn on SSO for one of the domains, will users be able to log in if they’re not on that specific domain?

No, if you enable SAML, members from other domains will be locked out if those domains aren’t configured in the IdP.

Zapier’s SAML system checks if:

  • The account you’re trying to access requires SAML authentication.
  • The account owns the domain used in your email address.

Can I change Zapier's default session timeout?

Yes, you can configure a custom session timeout limit in your IdP. Zapier will use that session timeout length if it's shorter than Zapier’s default session timeout length (7 days). If it's longer than 7 days, Zapier will use its own default instead.

If you need additional help setting up SSO with SAML, contact Premier Support.

Was this article helpful?
2 out of 5 found this helpful