> ## Documentation Index
> Fetch the complete documentation index at: https://docs.conversion.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up your identity provider for SAML SSO

> Connect Conversion to your identity provider (IdP) to enable SAML single sign-on for members.

SAML single sign-on (SSO) lets members sign in to Conversion using your identity provider (IdP). This guide walks you through configuring SAML SSO end-to-end, from generating the values your IdP needs to pasting the IdP metadata back into Conversion.

<Note>
  Only administrators can configure SAML SSO.
</Note>

## Supported identity providers

Conversion supports any SAML 2.0–compliant identity provider, including:

* Okta
* Google Workspace
* Microsoft Entra ID (formerly Azure AD)
* OneLogin
* JumpCloud
* Rippling
* Custom SAML 2.0 providers

## Overview of the setup flow

The full flow has three parts:

<Steps>
  <Step title="Generate the connection values in Conversion">
    Open the SAML SSO modal in Conversion to copy the **Assertion Consumer Service (ACS) URL** and **Entity ID**.
  </Step>

  <Step title="Create the SAML app in your IdP">
    Use the ACS URL and Entity ID to create a new SAML application in your IdP.
  </Step>

  <Step title="Paste the IdP metadata XML back into Conversion">
    Download the metadata XML from your IdP and paste it into Conversion to complete the connection.
  </Step>
</Steps>

## Step 1: Open the SAML SSO modal in Conversion

1. In Conversion, go to **Workspace settings -> Identity and Access**.
2. Under **Single sign-on (SSO)**, toggle **Enable SAML** on, then click the settings icon next to the toggle.
3. The **Set up SAML SSO** modal opens. Keep this modal open while you configure your IdP, since you'll come back to paste the metadata XML.

The modal exposes two values you'll need in your IdP:

| Field                                | Description                                                             |
| ------------------------------------ | ----------------------------------------------------------------------- |
| Assertion Consumer Service (ACS) URL | The endpoint your IdP posts the SAML response to. Unique per workspace. |
| Entity ID                            | Conversion's SAML entity identifier: `https://conversion.ai/sso/saml`.  |

## Step 2: Create the SAML app in your IdP

In your IdP, create a new SAML 2.0 application and configure it with the values from the modal.

### Required settings

* **ACS URL / Reply URL / Single sign-on URL**: paste the ACS URL from the modal.
* **Entity ID / Audience URI / SP Entity ID**: paste the Entity ID from the modal (`https://conversion.ai/sso/saml`).
* **NameID format**: `emailAddress`.

### Provider-specific notes

<AccordionGroup>
  <Accordion title="Okta">
    1. Log into the **Okta Admin Console** as an administrator.
    2. Go to **Applications → Applications** and click **Create App Integration**.
    3. Select **SAML 2.0** and click **Next**.
    4. Enter `Conversion` as the **App name** and click **Next**.
    5. In **Single sign-on URL**, paste the ACS URL from the Conversion modal. Leave **Use this for Recipient URL and Destination URL** checked.
    6. In **Audience URI (SP Entity ID)**, enter `https://conversion.ai/sso/saml`.
    7. Set **Name ID format** to `EmailAddress` and **Application username** to `Email`.
    8. Click **Next**, choose **I'm an Okta customer adding an internal app**, then click **Finish**.
    9. On the application's **Sign On** tab, scroll to **SAML Signing Certificates** and click **Actions → View IdP metadata** next to the active certificate. A new tab opens with the metadata XML.
    10. Copy the entire XML response and paste it into the **Metadata XML** field in the Conversion modal.

    <Warning>
      Some browsers such as Chrome add extra whitespaces when displaying the XML, which must be removed before pasting.

      See [Paste the IdP metadata XML into Conversion](/product-docs/workspace-settings/identity-and-access/saml-sso-setup#step-3-paste-the-idp-metadata-xml-into-conversion) below for more info.
    </Warning>

    11. Back in Okta, go to the **Assignments** tab and assign the app to the users or groups who need access.
  </Accordion>

  <Accordion title="Google Workspace">
    1. Sign in to the **Google Admin Console** with an administrator account.
    2. Go to **Menu → Apps → Web and mobile apps**.
    3. Click **Add app → Add custom SAML app**.
    4. Enter `Conversion` as the **App name** and click **Continue**.
    5. On the **Google Identity Provider details** screen, click **Download metadata** to save the `GoogleIDPMetadata.xml` file. Keep this file handy for the final step.
    6. Click **Continue**.
    7. On the **Service provider details** screen, paste the ACS URL from the Conversion modal into **ACS URL**.
    8. Enter `https://conversion.ai/sso/saml` into **Entity ID**.
    9. Set **Name ID format** to `EMAIL` and **Name ID** to `Basic Information > Primary email`. Click **Continue**.
    10. On the **Attribute mapping** screen, click **Finish** without adding any mappings.
    11. Back on the Conversion app page in Google Admin, click **User access** and turn the service **ON for everyone** (or for the relevant organizational units).
    12. Open the downloaded `GoogleIDPMetadata.xml` in a text editor, copy its full contents, and paste them into the **Metadata XML** field in the Conversion modal.
  </Accordion>

  <Accordion title="Microsoft Entra ID">
    1. Sign in to the **Microsoft Entra admin center**.
    2. Go to **Identity → Applications → Enterprise applications** and click **New application**.
    3. Click **Create your own application**, name it `Conversion`, and choose **Integrate any other application you don't find in the gallery (Non-gallery)**. Click **Create**.
    4. From the app's overview page, go to **Manage → Single sign-on** and select **SAML**.
    5. In **Basic SAML Configuration**, click **Edit** and set:
       * **Identifier (Entity ID)**: `https://conversion.ai/sso/saml`
       * **Reply URL (Assertion Consumer Service URL)**: the ACS URL from the Conversion modal
    6. Click **Save**.
    7. In **SAML Certificates**, find **Federation Metadata XML** and click **Download** to save the XML file.
    8. Open the downloaded XML in a text editor, copy its full contents, and paste them into the **Metadata XML** field in the Conversion modal.
    9. Back in Entra, go to **Manage → Users and groups** and click **Add user/group** to assign the app to the users or groups who need access.
  </Accordion>

  <Accordion title="OneLogin">
    1. Sign in to the **OneLogin Administration UI**.
    2. Go to **Applications → Applications** and click **Add App**.
    3. Search for **SAML Custom Connector (Advanced)** and select it.
    4. Set the **Display name** to `Conversion` and click **Save**.
    5. Open the **Configuration** tab and set:
       * **Audience (EntityID)**: `https://conversion.ai/sso/saml`
       * **ACS (Consumer) URL Validator**: `.*` (or a regex matching your Conversion ACS URL)
       * **ACS (Consumer) URL**: the ACS URL from the Conversion modal
       * **SAML nameID format**: `Email`
    6. Click **Save**.
    7. Open the **SSO** tab, click **More Actions → SAML Metadata**, and download the metadata XML file.
    8. Open the downloaded XML in a text editor, copy its full contents, and paste them into the **Metadata XML** field in the Conversion modal.
    9. Open the **Users** tab on the Conversion app and assign the users who need access.
  </Accordion>

  <Accordion title="Custom SAML 2.0 provider">
    1. In your IdP, create a new SAML 2.0 application named `Conversion`.
    2. Set the **ACS URL / Reply URL** to the ACS URL from the Conversion modal.
    3. Set the **Entity ID / Audience** to `https://conversion.ai/sso/saml`.
    4. Set the **NameID format** to `emailAddress`.
    5. Export the IdP metadata as an XML file.
    6. Open the XML file in a text editor, copy its full contents, and paste them into the **Metadata XML** field in the Conversion modal.
    7. Assign the application to the users or groups who need access.
  </Accordion>
</AccordionGroup>

## Step 3: Paste the IdP metadata XML into Conversion

Back in the **Set up SAML SSO** modal in Conversion, paste your IdP's metadata XML into the **Metadata XML** field and click **Save**.

<Warning>
  Conversion accepts the **metadata XML contents**, not a metadata URL. If your IdP only provides a metadata URL, run a `GET` request against that URL (for example with `curl`) and paste the response body into the modal.
</Warning>

<Warning>
  If you copy the XML from a web browser like Chrome, make sure there are **no extra whitespace characters** at the start or end of the contents. Stray whitespace will cause the SAML configuration to fail validation.
</Warning>

Once saved, members will see the option to sign in with SAML SSO on the Conversion login page.

## Inviting members

Conversion does not provision members from your IdP automatically. Members are invited from inside Conversion, not from the IdP.

To grant a member access:

1. Go to **Workspace settings → [Members](/product-docs/workspace-settings/members/overview)**.
2. Open the **Invitations** tab and click **+ Invite**.
3. Enter the member's email address and choose their role.

When they accept the invitation, they can sign in with SAML SSO using the same email address.

If you want new members to be created automatically the first time they sign in with SAML SSO, enable **Just-in-time (JIT) provisioning** on the [Identity and Access](/product-docs/workspace-settings/identity-and-access/overview) page. Alternatively, use SCIM to sync members directly from your IdP.

## Requiring SSO for all members

Once SAML SSO is working, you can require it for all members from the [Identity and Access](/product-docs/workspace-settings/identity-and-access/overview) page by toggling **Require SSO for this business** on. Business owners can always sign in with any method, which prevents lockout if the IdP becomes unavailable.

## Troubleshooting

* **"Invalid metadata" on save / Members receive error on login**: confirm there are no leading or trailing whitespace characters in the pasted XML, and that the XML is the IdP metadata (not service provider metadata).
* **No SSO option on the login page**: confirm the domain on [Identity and Access](/product-docs/workspace-settings/identity-and-access/overview) is verified and that **Enable SAML** is toggled on.
