> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sevalla.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Single Sign-On (SSO) Overview

> Find out how to set up SAML SSO with Sevalla. 

Security Assertion Markup Language (SAML) Single Sign-On (SSO) allows users to securely access multiple applications using a single set of credentials, typically their company email and password. Instead of creating separate logins for each service, users authenticate once through a company-managed Identity Provider (IdP) such as Okta, OneLogin, Microsoft Entra, or Google Workspace.

The IdP verifies the user’s identity and grants access to all connected applications without requiring additional logins. The organization centrally manages access control, authentication policies, and permissions, providing greater security, compliance, and administrative efficiency.

With SAML SSO, company owners or IT administrators can link their corporate email domain (e.g., `@mycompany.com`) to the organization’s IdP. This ensures that anyone with a company email address is automatically recognized and securely authenticated when accessing approved tools and services.

At Sevalla, SAML SSO lets you connect your company’s IdP directly to Sevalla. By creating a SAML application in your IdP and adding the connection details to Sevalla, your team can sign in using their existing company credentials, eliminating the need to create or manage separate Sevalla passwords. This also gives company owners centralized control over who can access Sevalla, directly through the IdP.

Sevalla supports all identity providers (IdPs) that use the SAML standard, including Microsoft Entra ID, Okta, OneLogin, Google Workspace, Auth0, Duo, JumpCloud, and more.

<Info>
  When using SAML SSO with Sevalla, login must always be initiated from Sevalla. Logging in directly from your Identity Provider (IdP) is not supported.

  IdPs only support one active session per browser. If you have multiple accounts and are logged into one, attempting to log into another through Sevalla will result in an error. To switch accounts, log out of your IdP or use your browser’s Incognito/Private mode.
</Info>

## Set up SAML SSO

For detailed step-by-step guides for the most popular IdPs, refer to one of the following:

* [Google Workspace SAML SSO](https://docs.sevalla.com/company-settings/single-sign-on/google)
* [Microsoft Entra SAML SSO](https://docs.sevalla.com/company-settings/single-sign-on/microsoft)
* [Okta SAML SSO](https://docs.sevalla.com/company-settings/single-sign-on/okta)
* [OneLogin SAML SSO](https://docs.sevalla.com/company-settings/single-sign-on/onelogin)
* [Ping Identity SAML SSO](https://docs.sevalla.com/company-settings/single-sign-on/ping)

### Enable SSO in Sevalla

When you set up SAML SSO, you can navigate away from the SSO setup at any stage to store your progress and return later.

In Sevalla, go to your **Company settings** > **Single sign-on**, and click **Enable**.

<Frame caption="Enable SSO in Sevalla.">
  <img className="block dark:hidden" alt="Enable SSO" src="https://mintcdn.com/sevalla/znhzGue4KWYN3uG0/images/enable-sso-light.png?fit=max&auto=format&n=znhzGue4KWYN3uG0&q=85&s=c398cd2b338da89076717091f38bedce" width="3374" height="1800" data-path="images/enable-sso-light.png" />

  <img className="hidden dark:block" alt="Enable SSO" src="https://mintcdn.com/sevalla/znhzGue4KWYN3uG0/images/enable-sso-dark.png?fit=max&auto=format&n=znhzGue4KWYN3uG0&q=85&s=d18cb436015197af6d85ab284e84c7bd" width="3370" height="1798" data-path="images/enable-sso-dark.png" />
</Frame>

Read through the introduction, which explains how SSO will be set up, and click **Continue**.

<Frame caption="Introduction to the steps required to set up SSO.">
  <img className="block dark:hidden" alt="Introduction to the steps required to set up SSO" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-intro-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=8455fa4a6402a82184990f89d0d727c7" width="2564" height="1544" data-path="images/sso-intro-light.png" />

  <img className="hidden dark:block" alt="Introduction to the steps required to set up SSO" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-intro-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=06df698980233807f30719682814092a" width="2570" height="1558" data-path="images/sso-intro-dark.png" />
</Frame>

### Set up the app integration in your IdP

Use the information provided within **Create SAML app** to set up a SAML app within your identity provider, and then click **Continue**.

* **App name:** Copy and paste this into the Application Name field in your IdP.
* **App description:** Copy and paste this into the Application Description field in your IdP. This field is typically optional.
* **App icon:** Click Download to get the Sevalla icon, then upload it to your IdP application.
* **SSO/ACS URL:** This is the Sevalla endpoint your IdP redirects to after authentication. It processes the SAML response, verifies it, and establishes the user’s session in Sevalla. Copy and paste this into the **SSO**/**ACS**/**Recipient**/**Single sign-on URL** field in your IdP.
* **Entity ID:** Sevalla's unique identifier within your IdP, used to recognize Sevalla as the service provider. Copy and paste this into the **Entity ID**/**Audience URI**/**Audience** field in your IdP.
* **Start URL:** The web address for Sevalla's SSO access portal. This is the entry point users visit to log in using SSO, triggering the SAML authentication request to the IdP. Copy and paste this into the **Start URL**/**Login URL** field in your IdP.
* **Signed Response:** A signed response provides secure digital verification, allowing Sevalla to confirm a user’s identity and grant access without requiring an additional login.
* **Name ID format:** Defines how Sevalla identifies users. This must be set to an email address format in the IdP.
* **Required attributes:** The attributes Sevalla requires from your IdP to complete the login process.

<Note>
  As Sevalla is a [**Kinsta**](https://kinsta.com/) product, we use `my.kinsta.com` in the **SSO/ACS URL**, **Entity ID**, and **Start URL.** This is a normal part of the Sevalla experience.
</Note>

<Frame caption="Information to create the SAML app at your IdP.">
  <img className="block dark:hidden" alt="Information to create the SAML app at your IdP" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-create-app-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=3df84e52792cd16e9c73d651a51ce2e9" width="2568" height="2332" data-path="images/sso-create-app-light.png" />

  <img className="hidden dark:block" alt="Information to create the SAML app at your IdP" src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/sso-create-app-dark.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=7b57f5b0ec84b4ac11032677ad92e977" width="2572" height="2340" data-path="images/sso-create-app-dark.png" />
</Frame>

### Sevalla setup

#### Email domain

In the **Domain name**, enter the email domain users will use to sign in using SAML SSO, and click **Add domain**.

Only Sevalla accounts with an email address matching the verified domain can authenticate via SAML. For example, if SAML is enabled for `example.com`, only users with an `@example.com` email address will be able to sign in for that company.

<Info>
  Each email address can only be linked to one SAML configuration in Sevalla. This means a domain (e.g., `example.com`) can be associated with only one company at a time. Similarly, each Sevalla user can use SAML authentication for a single company only.
</Info>

If the domain has already been verified in Sevalla through DNS management or as a site domain, it will automatically be verified. If it hasn’t, you’ll be prompted to add a TXT record to your DNS management service to confirm domain ownership.

<Frame caption="Add the TXT record to your DNS to verify ownership.">
  <img className="block dark:hidden" alt="Add the TXT record to your DNS to verify ownership" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-verify-domain-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=ac2d73377d2fa61df230882f43e8a3dd" width="1044" height="806" data-path="images/sso-verify-domain-light.png" />

  <img className="hidden dark:block" alt="Add the TXT record to your DNS to verify ownership" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-verify-domain-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=27431c552c5c8c7177aa1e39a53acb49" width="1052" height="814" data-path="images/sso-verify-domain-dark.png" />
</Frame>

Because DNS changes can take time to propagate, you can navigate away from the SSO setup to store your progress and return later.

#### Set up Sevalla SAML

When the domain has been verified, use the information provided from your IdP to complete the **SSO URL**, **Entity ID**, and **Public certificate**, and then click **Continue**.

<Warning>
  Certificates can expire, so you may need to update this in the future. Company Owners and Company Administrators will receive a notification three weeks prior to certificate expiration to ensure the certificate is updated in a timely manner.
</Warning>

<Frame caption="Use your IdP details to set up SSO within Sevalla.">
  <img className="block dark:hidden" alt="Use your IdP details to set up SSO within Sevalla" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-sevalla-setup-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=dd34e3252d346f980cd756167c58fb45" width="2570" height="2376" data-path="images/sso-sevalla-setup-light.png" />

  <img className="hidden dark:block" alt="Use your IdP details to set up SSO within Sevalla" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-sevalla-setup-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=beef8305eaf7862b7e6f1b876ddef2a4" width="2572" height="2380" data-path="images/sso-sevalla-setup-dark.png" />
</Frame>

### Test the authentication in Sevalla

To check everything is set up correctly, click **Test authentication**.

A notification appears if the test was successful or if the test fails.

If the test fails, click **Back** and check your SAML settings within your IdP and within Sevalla.

If the test is successful and you want to enable SAML, click **Save and set SSO live**.

<Frame caption="Test your SSO setup and set SSO live.">
  <img className="block dark:hidden" alt="Test your SSO setup and set SSO live" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-test-finish-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=58ab5bb43e02dd0016359b323a5d94a1" width="2566" height="1410" data-path="images/sso-test-finish-light.png" />

  <img className="hidden dark:block" alt="Test your SSO setup and set SSO live" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-test-finish-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=847e7226d8a9e1c76a56dca41bf650b5" width="2572" height="1418" data-path="images/sso-test-finish-dark.png" />
</Frame>

Your Sevalla company users will now be able to sign in with SAML SSO or by entering their username and password. If you want to force users to sign on via SAML, you can enable Mandatory SSO. Users who sign in through an IdP are not required to complete Sevalla's 2FA, as authentication is handled directly by the IdP.

<Frame caption="Sign in to Sevalla with SAML SSO.">
  <img className="block dark:hidden" alt="Sign in to Sevalla with SAML SSO" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-sign-in-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=96f246d159744eb57da7d122aa9a715e" width="790" height="1276" data-path="images/sso-sign-in-light.png" />

  <img className="hidden dark:block" alt="Sign in to Sevalla with SAML SSO" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-sign-in-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=17186899f4184229d734993b4c54c76b" width="790" height="1274" data-path="images/sso-sign-in-dark.png" />
</Frame>

## Mandatory single sign-on

To require all users to log in with SSO, enable mandatory SSO. With this setting, all users are prompted to sign in via the identity provider (IdP) rather than their Sevalla credentials. If a user has already authenticated with SAML elsewhere, they'll automatically be logged in. If a user switches companies to a company that does not have SSO enabled, they must enter their Sevalla credentials.

You can also add Exceptions to allow specific users to log in with a password even when mandatory SSO is enabled. This is useful for 3rd parties that need to access your company but don't have an email address in your domain, such as developers.

<Warning>
  We strongly recommend adding at least one user as an exception, such as the company owner, so you can still access your company with your Sevalla credentials if any issues occur with SAML SSO.
</Warning>

If mandatory SSO is enabled but SAML is **not** enabled, users will be required to log in with their Sevalla credentials.

<Frame caption="Enable mandatory SSO for all users.">
  <img className="block dark:hidden" alt="Enable mandatory SSO for all users" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-mandatory-sso-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=644f0a2720851465f91a0fde020cd0f6" width="2552" height="322" data-path="images/sso-mandatory-sso-light.png" />

  <img className="hidden dark:block" alt="Enable mandatory SSO for all users" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-mandatory-sso-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=94b090913ab7ec4a3a1954f53330e3ef" width="2562" height="326" data-path="images/sso-mandatory-sso-dark.png" />
</Frame>

## Exceptions

If mandatory SSO is enabled, you can add specific users to an exceptions list, allowing them to log in with their Sevalla credentials instead of SSO. This is useful for 3rd parties that need to access your company but don't have an email address in your domain, such as developers.

<Warning>
  We strongly recommend adding at least one user as an exception, such as the company owner, so you can still access your company with your Sevalla credentials if any issues occur with SAML SSO.
</Warning>

<Frame caption="Users who can still sign on with a password when mandatory SSO is enabled.">
  <img className="block dark:hidden" alt="Users who can still sign on with a password when mandatory SSO is enabled" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-exceptions-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=5126a171dbfc0ba89b1d5e37299a2905" width="2552" height="404" data-path="images/sso-exceptions-light.png" />

  <img className="hidden dark:block" alt="Users who can still sign on with a password when mandatory SSO is enabled" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-exceptions-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=1b44a36c179566f06f19a881d5c84a3c" width="2556" height="406" data-path="images/sso-exceptions-dark.png" />
</Frame>

### Add a user to exceptions

To add a user to the exceptions list, click **Add exception**. Select the user from the list and click **Add**.

<Frame caption="Add a user to the exceptions list.">
  <img className="block dark:hidden" alt="Add a user to the exceptions list" src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/sso-add-exceptions-light.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=d28550fd42e5a79207daf6f90c9467cc" width="1184" height="680" data-path="images/sso-add-exceptions-light.png" />

  <img className="hidden dark:block" alt="Add a user to the exceptions list" src="https://mintcdn.com/sevalla/E2LMVE0PTfkyQPVl/images/sso-add-exceptions-dark.png?fit=max&auto=format&n=E2LMVE0PTfkyQPVl&q=85&s=2cf9b974df273cff086e8cb3a242003e" width="1186" height="678" data-path="images/sso-add-exceptions-dark.png" />
</Frame>

### Remove a user from exceptions

To remove a user from the exceptions list, click the trash can icon next to the user, then click **Continue**.

<Frame caption="Remove a user from exceptions.">
  <img className="block dark:hidden" alt="Remove a user from exceptions" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-remove-exceptions-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=7495757a334749fe41110760c1aa0842" width="2552" height="404" data-path="images/sso-remove-exceptions-light.png" />

  <img className="hidden dark:block" alt="Remove a user from exceptions" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-remove-exceptions-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=b8d024272ae2498f1aed3d3df0d1dc68" width="2556" height="406" data-path="images/sso-remove-exceptions-dark.png" />
</Frame>

When you remove the last user from the exceptions list, a warning message will appear. If all users are removed and an issue occurs with the IdP, you may lose access to your Sevalla company.

<Frame caption="Warning message when you remove the last user from the SSO exceptions.">
  <img className="block dark:hidden" alt="Warning message when you remove the last user from the SSO exceptions" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-remove-exceptions-confirm-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=3385b444424824041201e032171f90b0" width="1042" height="770" data-path="images/sso-remove-exceptions-confirm-light.png" />

  <img className="hidden dark:block" alt="Warning message when you remove the last user from the SSO exceptions" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-remove-exceptions-confirm-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=e1c4bdf155b896a17c479366911fd7f7" width="1048" height="778" data-path="images/sso-remove-exceptions-confirm-dark.png" />
</Frame>

## Just-in-time provisioning

Just-in-time (JIT) provisioning allows users authorized by your IdP to access your Sevalla company without requiring an invitation. In most cases, this means anyone with an email address on your domain. When a user signs in to Sevalla, they are directed through IdP SSO and do not need to create a separate Sevalla account. By default, users provisioned through JIT are assigned the **Company Developer** role. You can adjust each user’s access level after they join, or update the default role to define the access level new JIT-provisioned users receive upon joining.

### Change default role

When JIT provisioning is enabled, users are assigned the **Company Developer** by default. To change their default access level, click **Change default role**.

<Frame caption="Change the default access level for JIT provisioning.">
  <img className="block dark:hidden" alt="Change the default access level for JIT provisioning" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-jit-default-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=542c0c6c6213893ccbf1e0a37c1900de" width="2552" height="356" data-path="images/sso-jit-default-light.png" />

  <img className="hidden dark:block" alt="Change the default access level for JIT provisioning" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-jit-default-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=cd146f04663dd518d369784fe74848d7" width="2554" height="366" data-path="images/sso-jit-default-dark.png" />
</Frame>

You can then choose the access level you want to assign to users who join via JIT provisioning, and click **Save changes**.

<Frame caption="Set the default role for users who sign in via JIT provisioning.">
  <img className="block dark:hidden" alt="Set the default role for users who sign in via JIT provisioning" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-jit-default-change-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=7381c101ef0a115b9408bbc6589a1de4" width="1184" height="912" data-path="images/sso-jit-default-change-light.png" />

  <img className="hidden dark:block" alt="Set the default role for users who sign in via JIT provisioning" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-jit-default-change-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=b0921c86a121471647dee431479ed665" width="1182" height="914" data-path="images/sso-jit-default-change-dark.png" />
</Frame>

### Enable JIT provisioning

Once you have set the default role, to enable JIT provisioning, click **Enable**, and then click **Continue**.

<Frame caption="Enable JIT provisioning in Sevalla.">
  <img className="block dark:hidden" alt="Enable JIT provisioning in Sevalla" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-jit-enable-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=de1c53abdfbcbc4a08916cd3cb326b97" width="1042" height="612" data-path="images/sso-jit-enable-light.png" />

  <img className="hidden dark:block" alt="Enable JIT provisioning in Sevalla" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-jit-enable-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=853de0c52ce61426b7c4abccd41d3171" width="1050" height="620" data-path="images/sso-jit-enable-dark.png" />
</Frame>

### Disable JIT provisioning

To disable JIT provisioning, click **Disable**, and then click **Continue**. If you disable JIT provisioning and SSO, users created through JIT will be prompted to set a password the next time they log in to Sevalla.

<Frame caption="Disable JIT provisioning in Sevalla.">
  <img className="block dark:hidden" alt="Disable JIT provisioning in Sevalla" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-jit-disable-light.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=b8f8b3f98b0217116e6156ddd35128b3" width="1044" height="574" data-path="images/sso-jit-disable-light.png" />

  <img className="hidden dark:block" alt="Disable JIT provisioning in Sevalla" src="https://mintcdn.com/sevalla/qvdUBAuQue_4UYIa/images/sso-jit-disable-dark.png?fit=max&auto=format&n=qvdUBAuQue_4UYIa&q=85&s=c6854e08ec7055f52d7e69343b140189" width="1052" height="580" data-path="images/sso-jit-disable-dark.png" />
</Frame>

## Removing users

To fully revoke access, users must be removed from both Sevalla and your identity provider (IdP).

* If SSO and JIT provisioning are enabled, removing a user from Sevalla alone will not block access. The user can still sign in through your IdP.
* If you remove a user only from your IdP and mandatory SSO is not enabled, the user can still log in with their Sevalla credentials.

## Change the session duration

Your identity provider (IdP) controls the duration and expiration of your SSO session. Refer to your IdP's supporting documentation for information about how to change this.

## Disable SSO

If you disable SSO, users will no longer be able to sign in using SAML SSO and must instead log in with their email address and password.

If JIT provisioning was previously enabled, some users may not have an existing Sevalla password. In this case, they can create one by selecting **Forgot password** on the Sevalla login page.

Once SSO is disabled, all users will be required to use Sevalla's Two-Factor Authentication (2FA).

For security, multiple failed login attempts may lock the account. If this happens, Sevalla will send an email containing a temporary login link so the user can regain access to Sevalla.

To disable SSO, within **Single sign-on**, click **Disable**.

## What is the difference between SAML SSO and OAuth SSO?

SAML SSO and OAuth SSO both allow single sign-on, but they’re built for different use cases, technologies, and types of identities.

SAML SSO is used by businesses and enterprises to provide employees with secure, company-managed access to internal tools. With SAML, you sign in once using your work email and password, and you’re automatically logged in to all approved apps, such as Sevalla, Slack, or Salesforce, without needing to remember separate passwords. Usually, your company’s IT team manages access centrally through the Identity Provider (IdP), deciding who can sign in and which tools they can access. This provides greater security, compliance, and easier management for larger teams.

OAuth SSO, on the other hand, is most common for personal use. It lets you sign in to apps or websites using an existing personal account, such as Google, Apple, or Facebook, instead of creating a new one. This is linked to your personal identity rather than your organization, and the company cannot control who accesses which applications. This means that OAuth SSO is less suitable for enterprise-level access management.
