Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.conversion.ai/llms.txt

Use this file to discover all available pages before exploring further.

SAML single sign-on (SSO) lets members sign in to Conversion using your identity provider (IdP). This guide walks you through configuring SAML SSO end-to-end, from generating the values your IdP needs to pasting the IdP metadata back into Conversion.
Only administrators can configure SAML SSO.

Supported identity providers

Conversion supports any SAML 2.0–compliant identity provider, including:
  • Okta
  • Google Workspace
  • Microsoft Entra ID (formerly Azure AD)
  • OneLogin
  • JumpCloud
  • Rippling
  • Custom SAML 2.0 providers

Overview of the setup flow

The full flow has three parts:
1

Generate the connection values in Conversion

Open the SAML SSO modal in Conversion to copy the Assertion Consumer Service (ACS) URL and Entity ID.
2

Create the SAML app in your IdP

Use the ACS URL and Entity ID to create a new SAML application in your IdP.
3

Paste the IdP metadata XML back into Conversion

Download the metadata XML from your IdP and paste it into Conversion to complete the connection.

Step 1: Open the SAML SSO modal in Conversion

  1. In Conversion, go to Workspace settings -> Identity and Access.
  2. Under Single sign-on (SSO), toggle Enable SAML on, then click the settings icon next to the toggle.
  3. The Set up SAML SSO modal opens. Keep this modal open while you configure your IdP, since you’ll come back to paste the metadata XML.
The modal exposes two values you’ll need in your IdP:
FieldDescription
Assertion Consumer Service (ACS) URLThe endpoint your IdP posts the SAML response to. Unique per workspace.
Entity IDConversion’s SAML entity identifier: https://conversion.ai/sso/saml.

Step 2: Create the SAML app in your IdP

In your IdP, create a new SAML 2.0 application and configure it with the values from the modal.

Required settings

  • ACS URL / Reply URL / Single sign-on URL: paste the ACS URL from the modal.
  • Entity ID / Audience URI / SP Entity ID: paste the Entity ID from the modal (https://conversion.ai/sso/saml).
  • NameID format: emailAddress.

Provider-specific notes

  1. Log into the Okta Admin Console as an administrator.
  2. Go to Applications → Applications and click Create App Integration.
  3. Select SAML 2.0 and click Next.
  4. Enter Conversion as the App name and click Next.
  5. In Single sign-on URL, paste the ACS URL from the Conversion modal. Leave Use this for Recipient URL and Destination URL checked.
  6. In Audience URI (SP Entity ID), enter https://conversion.ai/sso/saml.
  7. Set Name ID format to EmailAddress and Application username to Email.
  8. Click Next, choose I’m an Okta customer adding an internal app, then click Finish.
  9. On the application’s Sign On tab, scroll to SAML Signing Certificates and click Actions → View IdP metadata next to the active certificate. A new tab opens with the metadata XML.
  10. Copy the entire XML response and paste it into the Metadata XML field in the Conversion modal.
Some browsers such as Chrome add extra whitespaces when displaying the XML, which must be removed before pasting.See Paste the IdP metadata XML into Conversion below for more info.
  1. Back in Okta, go to the Assignments tab and assign the app to the users or groups who need access.
  1. Sign in to the Google Admin Console with an administrator account.
  2. Go to Menu → Apps → Web and mobile apps.
  3. Click Add app → Add custom SAML app.
  4. Enter Conversion as the App name and click Continue.
  5. On the Google Identity Provider details screen, click Download metadata to save the GoogleIDPMetadata.xml file. Keep this file handy for the final step.
  6. Click Continue.
  7. On the Service provider details screen, paste the ACS URL from the Conversion modal into ACS URL.
  8. Enter https://conversion.ai/sso/saml into Entity ID.
  9. Set Name ID format to EMAIL and Name ID to Basic Information > Primary email. Click Continue.
  10. On the Attribute mapping screen, click Finish without adding any mappings.
  11. Back on the Conversion app page in Google Admin, click User access and turn the service ON for everyone (or for the relevant organizational units).
  12. Open the downloaded GoogleIDPMetadata.xml in a text editor, copy its full contents, and paste them into the Metadata XML field in the Conversion modal.
  1. Sign in to the Microsoft Entra admin center.
  2. Go to Identity → Applications → Enterprise applications and click New application.
  3. Click Create your own application, name it Conversion, and choose Integrate any other application you don’t find in the gallery (Non-gallery). Click Create.
  4. From the app’s overview page, go to Manage → Single sign-on and select SAML.
  5. In Basic SAML Configuration, click Edit and set:
    • Identifier (Entity ID): https://conversion.ai/sso/saml
    • Reply URL (Assertion Consumer Service URL): the ACS URL from the Conversion modal
  6. Click Save.
  7. In SAML Certificates, find Federation Metadata XML and click Download to save the XML file.
  8. Open the downloaded XML in a text editor, copy its full contents, and paste them into the Metadata XML field in the Conversion modal.
  9. Back in Entra, go to Manage → Users and groups and click Add user/group to assign the app to the users or groups who need access.
  1. Sign in to the OneLogin Administration UI.
  2. Go to Applications → Applications and click Add App.
  3. Search for SAML Custom Connector (Advanced) and select it.
  4. Set the Display name to Conversion and click Save.
  5. Open the Configuration tab and set:
    • Audience (EntityID): https://conversion.ai/sso/saml
    • ACS (Consumer) URL Validator: .* (or a regex matching your Conversion ACS URL)
    • ACS (Consumer) URL: the ACS URL from the Conversion modal
    • SAML nameID format: Email
  6. Click Save.
  7. Open the SSO tab, click More Actions → SAML Metadata, and download the metadata XML file.
  8. Open the downloaded XML in a text editor, copy its full contents, and paste them into the Metadata XML field in the Conversion modal.
  9. Open the Users tab on the Conversion app and assign the users who need access.
  1. In your IdP, create a new SAML 2.0 application named Conversion.
  2. Set the ACS URL / Reply URL to the ACS URL from the Conversion modal.
  3. Set the Entity ID / Audience to https://conversion.ai/sso/saml.
  4. Set the NameID format to emailAddress.
  5. Export the IdP metadata as an XML file.
  6. Open the XML file in a text editor, copy its full contents, and paste them into the Metadata XML field in the Conversion modal.
  7. Assign the application to the users or groups who need access.

Step 3: Paste the IdP metadata XML into Conversion

Back in the Set up SAML SSO modal in Conversion, paste your IdP’s metadata XML into the Metadata XML field and click Save.
Conversion accepts the metadata XML contents, not a metadata URL. If your IdP only provides a metadata URL, run a GET request against that URL (for example with curl) and paste the response body into the modal.
If you copy the XML from a web browser like Chrome, make sure there are no extra whitespace characters at the start or end of the contents. Stray whitespace will cause the SAML configuration to fail validation.
Once saved, members will see the option to sign in with SAML SSO on the Conversion login page.

Inviting members

Conversion does not provision members from your IdP automatically. Members are invited from inside Conversion, not from the IdP. To grant a member access:
  1. Go to Workspace settings → Members.
  2. Open the Invitations tab and click + Invite.
  3. Enter the member’s email address and choose their role.
When they accept the invitation, they can sign in with SAML SSO using the same email address. If you want new members to be created automatically the first time they sign in with SAML SSO, enable Just-in-time (JIT) provisioning on the Identity and Access page. Alternatively, use SCIM to sync members directly from your IdP.

Requiring SSO for all members

Once SAML SSO is working, you can require it for all members from the Identity and Access page by toggling Require SSO for this business on. Business owners can always sign in with any method, which prevents lockout if the IdP becomes unavailable.

Troubleshooting

  • “Invalid metadata” on save / Members receive error on login: confirm there are no leading or trailing whitespace characters in the pasted XML, and that the XML is the IdP metadata (not service provider metadata).
  • No SSO option on the login page: confirm the domain on Identity and Access is verified and that Enable SAML is toggled on.