Zum Hauptinhalt springen
Zenovaydocs
5 Min. Lesedauer

SAML 2.0 SSO Setup

This guide covers how to configure SAML 2.0 Single Sign-On with Zenovay using any SAML-compatible identity provider. For provider-specific instructions, see the guides for Okta, Microsoft Entra ID, Google Workspace, or Auth0.

SSO requires a Scale or Enterprise plan and Owner or Admin permissions.

Zenovay SP Configuration Values

Copy these values into your identity provider's SAML application configuration:

SettingValue
SP Entity ID / Audience URI / Audience Restrictionhttps://auth.zenovay.com
ACS URL (Assertion Consumer Service URL)https://auth.zenovay.com/api/sso/saml/callback
NameID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
BindingHTTP-POST

The SP Entity ID must be exactly https://auth.zenovay.com — do not add a trailing slash or path. The ACS URL must include the full path /api/sso/saml/callback.

Step 1: Create a SAML Application in Your IdP

In your identity provider's admin console:

  1. Create a new SAML 2.0 application (sometimes called "SAML App" or "Enterprise Application")
  2. Enter the Zenovay SP values from the table above
  3. Set the NameID to send the user's email address
  4. Assign users or groups who should have access to Zenovay

Step 2: Collect IdP Values

After creating the application, your identity provider will give you the following values. You will need these for Zenovay:

ValueDescriptionWhere to Find
IdP Entity ID (Issuer)Unique identifier for your identity providerIdP SAML settings or metadata
SSO URL (Login URL)The URL where Zenovay sends SAML authentication requestsIdP SAML settings or metadata
X.509 CertificatePublic certificate used to verify SAML responsesIdP SAML settings (download or copy)

Some identity providers offer a metadata URL or metadata XML file that contains all three values. Check your IdP documentation for this option.

Step 3: Add Provider in Zenovay

  1. Sign in to Zenovay as an Owner or Admin
  2. Go to Settings > Authentication > SSO
  3. Click Add SSO Provider
  4. Select SAML 2.0 as the protocol
  5. Enter a name for the provider (e.g., "Corporate Okta" or "Company SSO")
  6. Fill in the three IdP values:
    • Entity ID: Paste the IdP Entity ID / Issuer
    • SSO URL: Paste the Login URL
    • Certificate: Paste the X.509 certificate (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines)
  7. Click Save

Step 4: Verify Your Domain

After adding the provider, verify the email domain that should use this SSO connection:

  1. In the SSO provider settings, click Add Domain
  2. Enter your email domain (e.g., company.com)
  3. Follow the domain verification steps (typically adding a DNS TXT record)
  4. Once verified, all users with @company.com emails will be directed to this SSO provider

Step 5: Test the Connection

Before enforcing SSO for all users:

  1. Open an incognito/private browser window
  2. Go to auth.zenovay.com
  3. Enter an email address from your verified domain
  4. You should be redirected to your identity provider's login page
  5. Sign in with your IdP credentials
  6. You should be redirected back to the Zenovay dashboard

If the test fails, check the Troubleshooting Guide for common SAML errors and solutions.

Step 6: Enforce SSO (Optional)

Once testing is successful, you can enforce SSO for your organization:

  1. Go to Settings > Authentication > SSO
  2. Toggle Enforce SSO to on
  3. All team members with your verified domain will be required to sign in via SSO

Attribute Mapping

Zenovay reads the following attributes from the SAML response:

SAML AttributeZenovay FieldRequired
NameID (email format)User emailYes
firstName or first_name or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameFirst nameNo
lastName or last_name or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameLast nameNo

The NameID must contain the user's email address. Zenovay uses this to match or create user accounts.

Certificate Rotation

When your identity provider's signing certificate expires, you need to update it in Zenovay:

  1. Download the new certificate from your IdP
  2. Go to Settings > Authentication > SSO
  3. Click the edit icon on your SAML provider
  4. Replace the certificate with the new one
  5. Click Save
  6. Test the connection to verify the new certificate works

Update the certificate in Zenovay before it expires in your IdP, or SAML authentication will fail for all SSO users.

Need Help?

War diese Seite hilfreich?