Set up Identity Provider (IdP) for SAML SSO

These are instructions for setting up Notion SAML SSO with Entra ID (formerly Azure), Google, Okta, and OneLogin. If you use a different Identity Provider and need assistance with configuration, please let us know.

To create a new application integration in Entra ID:

1. Sign in to the Entra ID portal. On the left navigation pane, select the Azure Active Directory service.

2. Navigate to Enterprise Applications and then select All Applications.

3. To add a new application, select New application.

4. In the Add from the gallery section, type Notion in the search box. Select Notion from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

To set up the SAML integration:

1. In the Azure portal, on the Notion application integration page, find the Manage section and select Single sign-on.

2. On the Select a single sign-on method page, select SAML.

To configure SAML settings in Notion:

1. In Notion, go to Settings, then select the Settings tab.

2. In the Allow email domains section, remove all email domains.

3. Then select the Identity & provisioning tab.

4. Verify one or more domains. See instructions for domain verification here →

5. Toggle on Enable SAML SSO. The SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

6. The SAML SSO Configuration modal is divided into two parts:

   • The Assertion Consumer Service (ACS) URL needs to be entered in your Identity Provider (IdP) portal.

   • The Identity Provider Details is a field in which you need to provide either an IdP URL or IdP metadata XML.

To set up in Notion in Entra ID:

1. On the set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

2. On the Basic SAML Configuration section, if you wish to configure the application in IdP initiated mode, enter the values for the following fields:

   • In the Identifier (Entity ID) text box, enter the following URL: https://www.notion.so/sso/saml.

   • In the Reply URL (Assertion Consumer Service URL) text box, use the ACS URL from Notion, found on the Identity & provisioning tab of Settings in your left-hand sidebar.

   • In the Sign on URL text box, enter the following URL: https://www.notion.so/login.

3. In the User attributes & claims section, ensure the required claims are set to:

   • Unique User Identifier (Name ID): user.userprincipalname [nameid-format:emailAddress]

   • firstName: user.givenname

   • lastName: user.surname

   • email: user.mail

4. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, click the copy button next to the App Federation Metadata URL.

5. In Notion, go to Settings → Identity & provisioning, and paste the App Federation Metadata URL value you copied into the IdP metadata URL field text box. Make sure Identity Provider URL is selected.

To assign users to Notion:

1. In the Azure portal, select Enterprise Applications, and then select All applications. In the applications list, select Notion.

2. In the app's overview page, find the Manage section and select Users and groups.

3. Select Add user, then select Users and groups in the Add Assignment dialog.

4. In the Users and groups dialog, select from the Users list, then click the Select button at the bottom of the screen.

5. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see Default Access role selected.

6. In the Add Assignment dialog, click the Assign button.

To get information from Google Identity Provider (IdP):

1. Make sure you're signed into an administrator account to ensure your user account has the appropriate permissions.

2. In Admin Console, go to Menu → Apps → Web and mobile apps.

3. Enter Notion in the search field and select the Notion SAML app.

4. On the Google Identity Provider details page, download the IdP metadata file.

5. Open the file, GoogleIDPMetadata.xml in a compatible editor, then select and copy the contents of the file.

6. Leave the Admin Console open. You'll continue with the configuration wizard after performing the next step in the Notion application.

To set up Notion as a SAML service provider:

1. In Notion, go to Settings, then select the Settings tab.

2. In the Allowed email domains section, remove all email domains.

3. Select the Identity & provisioning tab.

4. Add a new domain and verify it. This should be the same as your Google Workspace domain.

5. In SAML Single sign-on (SSO) settings, toggle the Enable SAML SSO on. This opens the SAML SSO Configuration dialog.

6. In the dialog, do the following:

   1. Under Identity Provider Details, select IDP metadata XML.

   2. Paste the contents of the GoogleIDPMetadata.xml file, (copied in step 1 above) into the IdP metadata XML text box.

   3. Copy and save the Assertion Consumer Service (ACS) URL. You'll need this when you complete the Google-side configuration in Admin console in step 3 below.

   4. Click Save Changes.

7. Ensure that the remaining options (Login method, Automatic account creation and Linked workspaces) contain the desired values for your configuration.

To complete SSO configuration in Admin Console:

1. Return to the Admin Console browser tab.

2. On the Google Identity Provider details page, click Continue.

3. On the Service provider details page, replace the ACS URL with the ACS URL you copied from Notion in Step 2 above.

4. Click Continue.

5. On the Attribute Mapping page, click the Select field menu and map the following Google directory attributes to their corresponding Notion attributes. Note that firstName, lastName, and email are required attributes.

   

   참고: profilePhoto 속성을 사용하여 Notion에서 사용자 사진을 추가할 수 있습니다.기능을 사용하려면 사용자 지정 속성을 만들고 사용자 프로필에서 사진의 URL 경로를 입력한 다음 해당 속성을 profilePhoto에 매핑하세요.

6. If you’d like, click Add Mapping to add any additional mappings you need.

7. Click Finish.

To enable Notion:

1. In the Admin console, go to Menu → Apps → Web and mobile apps.

2. Select Notion.

3. Click User access.

4. To turn a service on or off for everyone in your organization, click On for everyone or Off for everyone, and then click Save.

5. To optionally turn a service on or off for an organizational unit, select the organizational unit and change the Service status by selecting On or Off.

   • If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override. If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes. Learn more about organizational structure.

6. Optionally turn on the service for a group of users. Use access groups to turn on a service for specific users within or across your organizational units. Learn more here →

7. Ensure that your Notion user account email IDs match those in your Google domain.

To add Notion from Okta’s application directory:

1. Log in to Okta as an administrator, and go to the Okta Admin console.

2. Go to the Application tab, select Browse App Catalog, and search for Notion in the Okta app catalog.

3. Select the Notion app and click Add integration.

4. In the General Settings view, review the settings and click Next.

5. In the Sign-on Options view, select the SAML 2.0 option.

6. Above the Advanced Sign-on Settings section, click on the Identity Provider metadata. This will open a new browser tab. Copy the link of the URL.

To set up Notion settings for SAML:

1. In Notion, go to Settings, then select the Settings tab.

2. In the Allow email domains section, remove all email domains.

3. Then select the Identity & provisioning tab.

4. Verify one or more domains. See instructions for domain verification here →

5. Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

6. In the Identity Provider Details field of the SAML SSO Configuration model, provide the Identity Provider URL by pasting the Identity Provider metadata URL you copied in Step 1.

7. Click Save changes.

8. In the Identity & provisioning tab, copy the Workspace ID identifier.

9. In Okta Admin console → Advanced Sign-on Settings section, paste the workspace ID in the Organization ID text box.

10. In Credentials details, select Email from the Application username format dropdown.

11. Click Done.

You'll be able to assign users and groups to Notion in the Okta - Assignments tab.

To create a new application integration:

1. Go to Applications → Applications and select the Notion app connector you already added.

   • If you haven't already configured provisioning, click the Add App button, search for Notion in the search box, and select the SAML 2.0 version of Notion. Click Save.

2. Navigate to the SSO tab and copy the Issuer URL value. Paste it somewhere to be retrieved later.

To configure SAML settings in Notion:

1. In Notion, go to Settings, then select the Settings tab.

2. In the Allow email Domains section, remove all email domains.

3. Select the Identity & provisioning tab.

4. Verify one or more domains. See instructions for domain verification here →

5. Toggle on Enable SAML SSO and the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

6. The SAML SSO Configuration modal is divided into two parts:

   • The Assertion Consumer Service (ACS) URL needs to be entered in your Identity Provider (IdP) portal.

   • The Identity Provider Details is a field in which you need to provide either an IdP URL or IdP metadata XML.

To set up Notion in OneLogin:

1. Copy Assertion Consumer Service (ACS) URL from Notion.

2. Go back to the OneLogin Administration UI.

3. Navigate to the Configuration tab of the Notion app connector your just added to your OneLogin account.

4. Paste the Assertion Consumer Service (ACS) URL from Notion into the Consumer URL textbox.

5. Click Save.

6. Go back to the Notion Edit SAML SSO configuration settings.

7. Paste the Issuer URL you copied from the SSO tab in OneLogin URL into the Identity Provider URL textbox. Make sure Identity Provider URL is selected.

For detailed documentation, visit Rippling's website here →

For detailed documentation, visit TrustLogin’s website here →

If you don't use one of Notion’s supported SAML providers, you can also configure your IdP to use SAML with Notion.

Your IdP must support the SAML 2.0 spec to be used with Notion. To set up your IdP:

1. Configure the ACS URL to the value Assertion Consumer Service (ACS) URL from Notion. You can find this in Settings → Identity & Provisioning → Edit SAML SSO Configuration.

2. Configure NameID to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

   1. Similarly, configure username to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

3. Configure EntityID to https://notion.so/sso/saml. You can find this in Settings → the bottom of Identity & Provisioning.

4. Configure the following attributes:

   • emailAddress: This is a user's email address. Most IdPs set this by default.

   • (Optional) firstName

   • (Optional) lastName

   • (Optional) profilePicture

5. Copy the IdP metadata URL or IdP metadata XML for next steps.

To set up SAML in Notion:

1. In Notion, click Settings → Settings → Identity & provisioning.

2. Add new email domains and follow the prompts to verify them. These must be email domains of your users logging into Notion.

3. In SAML Single sign-on (SSO) settings, toggle Enable SAML SSO on. This will open the SAML SSO Configuration dialog.

4. Under Identity Provider Details, input the IdP metadata URL or IdP metadata XML from your IdP.

5. Make sure you provide your desired inputs for Login method, Automatic account creation, and Linked workspaces.

To switch identity providers:

1. Go to Settings in your left sidebar → Identity & provisioning → Edit SAML SSO configuration.

2. Enter your new information, then select Save changes.

When switching to a new IdP, we recommend that:

• SSO not be enforced during the transition, so you can minimize the risk of locking users out.

• Email addresses for the users under your new IdP match the user’s email in Notion.

If you encounter errors when setting up SAML SSO, check to make sure your IdP's metadata, SAML requests and responses are valid XML against the SAML XSD schemas. You can do so using this online tool.

Note that we do not support the EntitiesDescriptor element. If your IdP's metadata contains this element, extract the contained EntityDescriptor element and try again.