Set up Identity Provider (IdP) for SAML SSO

These are instructions for setting up Notion SAML SSO with Entra ID (formerly Azure), Google, Okta, and OneLogin. If you use a different Identity Provider and need assistance with configuration, please let us know.

To create a new application integration in Entra ID:

1. Sign in to the Entra ID portal. On the left navigation pane, select the Azure Active Directory service.

2. Navigate to Enterprise Applications and then select All Applications.

3. To add a new application, select New application.

4. In the Add from the gallery section, type Notion in the search box. Select Notion from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

To set up the SAML integration:

1. In the Azure portal, on the Notion application integration page, find the Manage section and select Single sign-on.

2. On the Select a single sign-on method page, select SAML.

To configure SAML settings in Notion:

1. In Notion, go to Settings → General if you’re on the Business Plan, or the General tab of your organization settings if you’re on the Enterprise Plan.

2. In the Allowed email domains section, remove all email domains.

3. Select the Identity tab in Settings if you're on the Business Plan, or go to your organization settings → General → SAML Single sign-on (SSO) if you're on the Enterprise Plan.

4. Verify one or more domains. See instructions for domain verification here →

5. Toggle on Enable SAML SSO. The SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.

6. The SAML SSO Configuration modal is divided into two parts:

   • The Assertion Consumer Service (ACS) URL needs to be entered in your Identity Provider (IdP) portal.

   • The Identity Provider Details is a field in which you need to provide either an IdP URL or IdP metadata XML.

To set up in Notion in Entra ID:

1. On the set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

2. On the Basic SAML Configuration section, if you wish to configure the application in IdP initiated mode, enter the values for the following fields:

   • In the Identifier (Entity ID) text box, enter the following URL: https://www.notion.so/sso/saml.

   • In the Reply URL (Assertion Consumer Service URL) text box, use the ACS URL from Notion, found on the Identity & provisioning tab of Settings in your left-hand sidebar.

   • In the Sign on URL text box, enter the following URL: https://www.notion.so/login.

3. In the User attributes & claims section, ensure the required claims are set to:

   • Unique User Identifier (Name ID): user.userprincipalname [nameid-format:emailAddress]

   • firstName: user.givenname

   • lastName: user.surname

   • email: user.mail

4. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, click the copy button next to the App Federation Metadata URL.

5. In Notion, go to Settings → Identity, and paste the App Federation Metadata URL value you copied into the IdP metadata URL field text box. Make sure Identity Provider URL is selected.

To assign users to Notion:

1. In the Azure portal, select Enterprise Applications, and then select All applications. In the applications list, select Notion.

2. In the app's overview page, find the Manage section and select Users and groups.

3. Select Add user, then select Users and groups in the Add Assignment dialog.

4. In the Users and groups dialog, select from the Users list, then click the Select button at the bottom of the screen.

5. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see Default Access role selected.

6. In the Add Assignment dialog, click the Assign button.

To get information from Google Identity Provider (IdP):

1. Make sure you're signed into an administrator account to ensure your user account has the appropriate permissions.

2. In Admin Console, go to Menu → Apps → Web and mobile apps.

3. Enter Notion in the search field and select the Notion SAML app.

4. On the Google Identity Provider details page, download the IdP metadata file.

5. Open the file, GoogleIDPMetadata.xml in a compatible editor, then select and copy the contents of the file.

6. Leave the Admin Console open. You'll continue with the configuration wizard after performing the next step in the Notion application.

To set up Notion as a SAML service provider:

1. In Notion, go to Settings → General if you’re on the Business Plan, or the General tab of your organization settings if you’re on the Enterprise Plan.

2. In the Allowed email domains section, remove all email domains.

3. Select the Identity tab in Settings if you're on the Business Plan, or go to your organization settings → General → SAML Single sign-on (SSO) if you're on the Enterprise Plan.

4. Add a new domain and verify it. This should be the same as your Google Workspace domain.

5. In SAML Single sign-on (SSO) settings, toggle the Enable SAML SSO on. This opens the SAML SSO Configuration dialog.

6. In the dialog, do the following:

   1. Under Identity Provider Details, select IDP metadata XML.

   2. Paste the contents of the GoogleIDPMetadata.xml file, (copied in step 1 above) into the IdP metadata XML text box.

   3. Copy and save the Assertion Consumer Service (ACS) URL. You'll need this when you complete the Google-side configuration in Admin console in step 3 below.

   4. Click Save Changes.

7. Ensure that the remaining options (Login method, Automatic account creation and Linked workspaces) contain the desired values for your configuration.

To complete SSO configuration in Admin Console:

1. Return to the Admin Console browser tab.

2. On the Google Identity Provider details page, click Continue.

3. On the Service provider details page, replace the ACS URL with the ACS URL you copied from Notion in Step 2 above.

4. Click Continue.

5. On the Attribute Mapping page, click the Select field menu and map the following Google directory attributes to their corresponding Notion attributes. Note that firstName, lastName, and email are required attributes.

   

   Note: The profilePhoto attribute can be used to add a user photo in Notion. To use it, create a custom attribute and populate it in the user profile with the URL path to the photo, then map the custom attribute to profilePhoto.

6. If you’d like, click Add Mapping to add any additional mappings you need.

7. Click Finish.

To enable Notion:

1. In the Admin console, go to Menu → Apps → Web and mobile apps.

2. Select Notion.

3. Click User access.

4. To turn a service on or off for everyone in your organization, click On for everyone or Off for everyone, and then click Save.

5. To optionally turn a service on or off for an organizational unit, select the organizational unit and change the Service status by selecting On or Off.

   • If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override. If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes. Learn more about organizational structure.

6. Optionally turn on the service for a group of users. Use access groups to turn on a service for specific users within or across your organizational units. Learn more here →

7. Ensure that your Notion user account email IDs match those in your Google domain.