Set up single sign-on with SAML

Single sign-on (SSO) gives your organization a centralized, secure way to control access to Zapier. It creates a single set of credentials to access multiple applications, like Zapier. SSO with Security Assertion Markup Language (SAML) uses industry-standard SAML 2.0 so you can easily integrate with any identity provider (IdP) that supports this protocol.

Zapier has partnered with several IdPs to offer third party connectors. Zapier supports both Zapier-initiated SAML SSO and IdP-initiated SAML SSO. You can also provision users using Just-in-Time provisioning (JIT).

You can use Single Logout (SLO) when configuring SAML SSO. When enabled, if you log out of your IdP, the provider will log you out of Zapier and vice versa. Support for SLO depends on your IdP.

Manually configure SSO with SAML Use custom SAML connectors

Manually configure SSO with SAML

1. Set up a custom SAML configuration

To set up a custom SAML configuration:

  • Set up your IdP.
  • Sign in to Zapier using your account owner's credentials.
  • Go to the single sign-on settings page.
  • In the SAML Identity Provider tab, enter the values provided by your IdP in the Entity ID, SSO URL, and Certificate fields.
    • The entity ID is usually the IdP issuer.
    • The SSO URL is the IdP's SSO URL.
    • The certificate is the X.509 certificate offered by your IdP.

SAML Identify Provider settings

  • [Optional] To enable SLO, click the Signed Single Logout switch.
  • Enter the corresponding values from your IdP in the Email, First Name, and Last Name fields.
    • Your IdP must format the NameID used in the Email field as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    • If your IdP doesn't format the NameID this way, you must send an additional value to use in the Email field from your IdP’s configuration page.
    • You can send first and last name along SAML assertions. Enter the names of those values in the associated fields.

2. Test your SAML configuration

Before enabling SSO for your entire organization:

  • Click Test Configuration.
  • If the connection is working, a new browser tab or window for your IdP will open. There, your IdP will:
    • Authenticate your account.
    • Redirect you to a page containing the SAML response received from the IdP.

Testing SAML

Successful SAML test

3. Enable SAML single sign-on

Once you've tested your configuration and ensured SSO is working:

  • Return to the SAML Identity Provider section.
  • Click the Enable SAML login switch.
    • This will force all team members to log in with SAML SSO.
    • This will disable the use of username and password.

Enabling SAML Single Sign On

4. Notify your team

Zapier can automatically send instructions on how to log in via SAML SSO to your team.

  • Go to the Notify Team Members tab.
  • Click Send Email. This will send the following email to your team members:

Notifying your Team - SAML Single Sign On

Additional technical information

  • Zapier uses SAML 2.0 with HTTP Redirect Binding for service provider to IdP (Zapier to IdP). It requires HTTP POST binding for IdP to service provider.
  • The Consumer URL is the post-back URL, also known as the Assertion Consumer Service URL. The post-back URL is namespaced by a tenant identifier that is unique to your organization. You can also use the Tenant Identifier field for configuring third-party connections from IdP app catalogs.
  • The NameID must contain the user's email address. You must format the Name ID as urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
  • Zapier supports both signed and unsigned SLO. For signed SLO, you must send the SLO URL to your IdP after configuring an IdP in Zapier. The SLO URL is found in the Service Provider tab.
  • Your IdP must send the following values with SAML assertions:
    • For first name, Zapier looks for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname or urn:oid:2.5.4.42 by default.
    • For last name, Zapier looks for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname or urn:oid:2.5.4.42 by default.
    • For email, Zapier looks for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name if the NameID is not in the email format.
    • If Zapier doesn't receive these values, you must configure your IdP to send them. You can use the optional configuration mapping to map custom attributes.

Send an email notification to members

After you enable SAML SSO, you can send an email notification to your members about the change. The email will prompt them to connect their accounts using SSO.

Configure a custom session timeout limit

If you want to change your session timeout limit, you can configure a custom session timeout limit in your IdP. Zapier will use that session timeout length if it's shorter than Zapier’s default session timeout length (7 days). If it's longer than 7 days, Zapier will use its own default instead.

Remove SAML single sign-on

If you need to remove SAML SSO:

  • Click the Enable SAML login switch to disable it.
  • Once it's disabled:
    • Users who had a password set up before enabling SAML SSO will use it to log in.
    • Users who joined after enabling SAML SSO must reset their password to log in.

Limitations

After you enable SAML:

  • You cannot enable 2FA in your Zapier account. You must configure your IdP to use 2FA instead.
  • You must use SAML SSO to log in. Your username and password and Google SSO will no longer work once you enable SAML SSO.
  • Members from other domains will be locked out if those domains are not configured in the IdP. Zapier’s SAML system checks if:
    • The account you’re trying to access requires SAML authentication.
    • The account owns the domain used in your email address.

Common errors

“The response was received at ‘'instead of'”

“The response was received at ‘'instead of'”

There is a disconnect between what the IdP expects for the recipient value and what Zapier is sending. In most cases, the recipient is the Assertion Consumer URL. Additional slashes may causes this error as well.

“Is not a valid audience for this response”

“Is not a valid audience for this response”

The audience value from Zapier must match the one from your IdP.

“SAML login failed: the email needs to be provided”

“SAML login failed: the email needs to be provided”

The NameID format is incorrect or your IdP didn’t send an email value. If your IdP sends an email value with SAML assertions, you must save that mapping in Zapier.

“Found different email address than the one that started the flow”

“Found different email address than the one that started the flow”

Your SAML SSO configuration in Zapier is using a different email address than the one sent by your IdP. Ensure you're using the correct username, check your IdP and Zapier settings, then log out and log in again.

If you need additional help setting up SSO with SAML, contact Premier Support.

Was this article helpful?
2 out of 5 found this helpful