SAML SSO

With SSO, you can streamline user management across systems, and remove the need for end-users to remember and manage multiple passwords by allowing them to sign in at one single access point and enjoy a seamless experience across multiple applications.

To use SSO with Notion:

• Your workspace must be on a Business Plan or Enterprise Plan.

• Your Identity Provider (IdP) must support the SAML 2.0 standard. See instructions for Identity Provider setup for specific apps here →

• A workspace owner must configure SAML SSO for the Notion workspace.

• At least one domain must be verified by a workspace owner. Learn more about domain verification →

To set up SAML SSO for a Business workspace, a workspace owner can:

1. Go to Settings → General.

2. In the Allowed email domains section, remove all email domains.

3. Select the Identity tab in Settings.

   

4. Verify one or more domains. See instructions for domain verification here →

5. Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

6. The SAML SSO Configuration modal is divided into two parts:

   • The Assertion Consumer Service (ACS) URL needs to be entered in your Identity Provider (IdP) portal.

   • The Identity Provider Details is a field in which you need to provide either an IdP URL or IdP metadata XML.

Enterprise Plan organization owners can manage SAML SSO for their workspace (or multiple workspaces belonging to their organization) by following these steps:

1. Open the workspace switcher and select Manage organization. You may need to Set up organization first if you haven’t already. Learn more here →

2. In the General tab of your organization settings, toggle on Enable SAML SSO.

3. Choose a setup method (URL or metadata XML), paste the required information from your Identity Provider or IdP, and select Save & enable.

Once you have completed your configuration of SAML SSO for a workspace, members will be able to log in via SAML SSO in addition to other login methods, like username and password or Google authentication.

If you want to ensure that members can log in using only SAML SSO and no other method, go to your SAML SSO settings and update the Login method to Only SAML SSO. Once this happens, workspace users will be logged out and required to log back in using SAML SSO. SAML SSO will only be enforced for members who use your verified domain.

On the Business Plan, this will look like this:

On the Enterprise Plan, this will look like this:

Workspace and organization owners will always have the option to bypass SAML SSO by using their email and password credentials so they can access Notion in the event of IdP/SAML failure. They’ll be able to log in and disable or update their configuration.

Notion supports Just-in-Time provisioning when using SAML SSO. This allows someone signing in via SAML SSO to join the workspace automatically as a member.

To enable Just-in-Time provisioning if you're on the Business Plan, go to Settings → Identity and make sure that Automatic account creation is enabled.

To enable Just-in-Time provisioning if you’re on the Enterprise Plan, go to your organization console → General and make sure that Automatic account creation is enabled.