Skip to main content
Single Sign-On (SSO) allows your team members to authenticate using your organization’s identity provider (IdP). This provides a seamless login experience and centralized access control.
SSO is available for Enterprise plans. Contact sales to enable SSO for your organization.

Supported protocols

Profile supports two industry-standard SSO protocols:
ProtocolBest for
SAML 2.0Most enterprise IdPs (Okta, Azure AD/Entra, Google Workspace, OneLogin)
OIDCModern IdPs with OpenID Connect support

Setting up SSO

Prerequisites

Before configuring SSO, ensure you have:
  • Owner or Admin role in your Profile organization
  • Administrator access to your identity provider
  • Your organization’s email domain (e.g., yourcompany.com)

Step 1: Create an SSO connection

  1. Navigate to Account from the left navigation
  2. Scroll to the Single Sign-On (SSO) section
  3. Click Add SSO connection
  4. Choose your connection type (SAML or OIDC)
  5. Enter a display name (e.g., “Okta SSO” or “Company Azure AD”)
  6. Select your identity provider from the dropdown if available
After creating the connection, you’ll receive configuration details to enter in your IdP.

Step 2: Configure your identity provider

In your identity provider, create a new SAML application and configure:Service Provider (SP) Details — provided by Profile:
  • ACS URL (Assertion Consumer Service)
  • Entity ID (SP Entity ID)
Attribute Mapping — map these user attributes:
Profile AttributeCommon IdP Names
emailemail, emailAddress, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
full_namename, displayName, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Attribute names vary by IdP. Check your provider’s documentation for exact field names.

Step 3: Complete the connection

Return to Profile and enter the configuration from your IdP:
If your IdP provides a metadata URL:
  1. Enter your Email Domain (e.g., yourcompany.com)
  2. Enter the Metadata URL
  3. Click Save
Profile will automatically fetch and configure the connection details.
Once saved, the connection status will update to Active if configured correctly.

Enforcing SSO

After SSO is configured and working, you can require all users to authenticate via SSO: Enable Require SSO for all users
When SSO is required, users cannot log in with passwords, magic links, or social login. Ensure your SSO connection is working before enabling this setting.

How users log in with SSO

Once SSO is configured, users can authenticate in two ways:

Email-based discovery

  1. User enters their email address on the login page
  2. Profile detects their domain has SSO configured
  3. User is redirected to your IdP to authenticate
  4. After successful IdP authentication, user is logged into Profile

Managing SSO connections

Viewing connections

Navigate to Account > Single Sign-On (SSO) to see all configured connections, including:
  • Connection name and type (SAML/OIDC)
  • Status (Active, Pending, or Inactive)
  • Identity provider

Updating a connection

Click on an existing connection to update its configuration. This is useful when:
  • Your IdP certificate is rotating
  • You need to update attribute mappings
  • Connection details have changed

Deleting a connection

Deleting an SSO connection will prevent users from logging in via that IdP. If SSO is required, users will be locked out until a new connection is configured or SSO requirement is disabled.
To delete a connection:
  1. Click the connection you want to remove
  2. Click Delete Connection
  3. Confirm the deletion

Troubleshooting

Ensure all required fields are configured:
  • For SAML: IdP Entity ID, SSO URL, X.509 Certificate, and Attribute Mapping
  • For OIDC: Client ID, Client Secret, and Issuer URL
Verify the email domain is set correctly.
Your IdP’s attribute mapping doesn’t match what Profile expects. Check that:
  • The email attribute is being sent in the SAML response
  • The attribute name in your IdP matches your Profile configuration
Common email attribute names: email, emailAddress, or the full SAML claim URI.
Ensure the Redirect URL or ACS URL configured in your IdP points to the correct Profile environment (production vs staging).
The user’s email domain must match the configured SSO domain. Users with emails from other domains will need to use standard authentication methods.

IdP-specific guides

Okta

Create a SAML 2.0 application in Okta. Use the metadata URL for easy configuration.

Azure AD / Entra

Create an Enterprise Application with SAML SSO. Download the Federation Metadata XML URL.

Google Workspace

Configure a custom SAML app in Google Admin Console.

OneLogin

Add a SAML 2.0 connector in OneLogin’s application catalog.

Security considerations

  • SSO credentials are never stored by Profile — authentication is handled entirely by your IdP
  • Session duration follows your IdP’s configuration when SSO is used
  • Enabling “Require SSO” ensures all authentication flows through your IdP’s security policies
  • Users are automatically provisioned on first SSO login if they don’t already exist