Setting Up SAML SSO

Follow these steps to set up your SAML SSO

Written by Natalie Novick
Updated over a week ago

SAML SSO is available on SafeBase's paid Growth or Enterprise plans

Note: New users will be assigned the Default Role you specified on the Settings page.

SCIM support is scheduled for Q3 '23 for streamlined provisioning and access control

To set up SAML SSO

  • Message our live chat or email our support team requesting to "Setup a SAML connection". Please include in the message which Identity Service Provider (IdP) you currently use.

  • We will configure a few things on our end, and provide you with an identifier connection_id that you will use for your connection setup.

Note: Don't enable the "Enforce SAML" setting in the Settings page until Step 3 has been completed and you have verified that your SAML connection is working.

Troubleshooting Note: When attempting to log into the portal for the first time using SAML, if you see the first and last name blank verify the mapping, and try again in incognito or clear your browser cache.

Step 1: Create a SAML App with the following information

Note: replace connection_id with the value that we will provide to you.


    • Ex. SafeBase's SSO URL

  • Audience URI (SP Entity ID)

    • In the example above, the Audience URI


  • For direct metadata import (if available), use this URL

    • In the example above, the direct metadata import URL would be

Step 2: Set Up Attribute Mapping

Let us know who your Identity Provider is.

Note: Attribute mapping may vary slightly than the examples below depending on your IdP. Let us know if you'd like IdP-initiated SSO to be enabled.

Map the following attributes:

  • First name → firstName

  • Last name → lastName

  • Email → email

  • Identifier/Login → id

Okta Specific Instructions

  • Single sign on URL

  • Audience URI


  • Default RelayState

    Leave this blank

  • Name ID Format


  • Application username

    Okta username

  • See below for an example

OneLogin Specific Instructions

  • ACS (Consumer) URL

  • Relay State

  • Audience

  • Recipient

  • ACS (Consumer) URL Validator

  • Login URL

  • Add custom attributes

    OneLogin field → Field that SafeBase is expecting

    • Email → email

    • First Name → firstName

    • Last Name → lastName

    • Username → id

Google SAML Specific Instructions


  • Entity ID


  • Start URL

    Leave this blank

  • Attribute Mapping (Should all be in Basic Information):

    Note: From our experience Google SAML can be buggy at times. You may encounter errors such as “403: Not a SaaS application” or “Could not save SafeBase as an app.” We’ve found that waiting a few hours usually auto resolves these issues without any action on your end.

Azure AD Specific Instructions

  • Identifier (Entity ID)


  • Reply URL

  • Sign on URL

    Leave this blank

  • Relay State

    Leave this blank

  • Logout URL

    Leave this blank

  • User attributes and claims:

    Azure AD field → Field that SafeBase is expecting

    • firstName -> user.givenname

    • lastName -> user.surname

    • email -> user.mail

    • id -> user.userprincipalname

Step 3: Send us your SAML Metadata URL

Please message our live chat or email our support team and send us a copy of your SAML app metadata URL and we will complete the setup on our end.

If you would like your requests to be signed, you can enable this option in your SAML provider and use the certificate attached at the bottom of this article.

Note: If you are unable send us the metadata URL from your idP, please provide the following:

  • idP SSO URL

  • X.509 Certificate

  • If you are using Okta, you can find it by clicking on "View Setup Instructions"

Step 4: Inviting Users

  • Once SAML is configured, you will no longer be able to invite your teammates directly from within SafeBase.

  • Instead, simply add them to the appropriate group that grants them access in your identity provider.

  • SafeBase will automatically create the account for that user once they login for the first time via their Okta tile, etc.

Attachment icon
Did this answer your question?