Skip to Content
AdministrationSecuritySAML SSO

SAML SSO

Configure single sign-on with your identity provider.

SAML SSO requires a Business plan or higher.

What is SAML SSO?

SAML (Security Assertion Markup Language) enables:

  • Single sign-on across applications
  • Centralized user management
  • Enhanced security
  • Simplified user experience

Supported Identity Providers

Penvio works with any SAML 2.0 IdP:

  • Okta
  • Azure AD (Microsoft Entra ID)
  • OneLogin
  • Google Workspace
  • Ping Identity
  • JumpCloud
  • And others

Configuration

Step 1: Get Penvio SAML Details

  1. Go to OrganizationSecuritySAML SSO
  2. Note the following values:
    • Entity ID: https://penvio.io/saml/{org-id}
    • ACS URL: https://penvio.io/api/auth/saml/callback
    • Logout URL: https://penvio.io/api/auth/saml/logout

Step 2: Configure Your IdP

In your identity provider:

  1. Create a new SAML application
  2. Enter Penvio’s Entity ID
  3. Enter Penvio’s ACS URL
  4. Configure attribute mapping (see below)
  5. Save and get IdP metadata

Step 3: Enter IdP Details in Penvio

  1. Return to Penvio SAML settings
  2. Upload IdP metadata XML
    • Or enter manually:
    • IdP Entity ID
    • SSO URL
    • Certificate
  3. Click Save

Step 4: Test Connection

  1. Click Test Connection
  2. Sign in with your IdP
  3. Verify successful authentication

Step 5: Enable SSO

  1. Choose enforcement mode:
    • Optional: Users can use SSO or email/password
    • Required: All users must use SSO
  2. Click Enable

Attribute Mapping

Map IdP attributes to Penvio fields:

Penvio FieldCommon IdP Attributes
Emailemail, mail, nameID
First NamefirstName, givenName
Last NamelastName, surname, sn
Display NamedisplayName, name

Just-in-Time Provisioning

New users can be created automatically:

  1. Enable JIT Provisioning
  2. Set default role for new users
  3. Users are created on first SSO login

Managing SSO Users

SSO-Only Users

When SSO is required:

  • Users can only sign in via SSO
  • No password reset option
  • Account managed by IdP

Mixed Authentication

When SSO is optional:

  • Users choose sign-in method
  • Can link SSO to existing account
  • Password remains as backup

Troubleshooting

Login Failed

  • Verify IdP configuration
  • Check certificate expiration
  • Confirm attribute mapping
  • Review IdP logs

User Not Created

  • Ensure JIT provisioning is enabled
  • Check required attributes are sent
  • Verify email format

Certificate Errors

  • Upload correct certificate
  • Check certificate hasn’t expired
  • Ensure PEM format

Okta Setup Guide

This section provides step-by-step instructions for configuring SAML SSO with Okta.

Step 1: Get Penvio SP Configuration

  1. In Penvio, go to OrganizationSecuritySAML SSO
  2. Copy these values (you’ll need them in Okta):
    • SP Metadata URL
    • ACS URL (Assertion Consumer Service)

Step 2: Create SAML App in Okta

  1. Log in to the Okta Admin Console
  2. Navigate to ApplicationsApplications
  3. Click Create App Integration
  4. Select SAML 2.0 and click Next
  5. Enter app details:
    • App name: Penvio
    • App logo: Optional
  6. Click Next

Step 3: Configure SAML Settings

Enter these values in Okta’s SAML settings:

FieldValue
Single sign-on URLYour ACS URL from Penvio
Audience URI (SP Entity ID)Your SP Metadata URL from Penvio
Name ID formatEmailAddress
Application usernameEmail

Step 4: Configure Attribute Statements

Add the following attribute statements in Okta:

NameName formatValue
emailUnspecifieduser.email
firstNameUnspecifieduser.firstName
lastNameUnspecifieduser.lastName
groupsUnspecifiedappuser.groups (optional)

Click Next, complete the feedback form, then click Finish.

Step 5: Download Okta Metadata

  1. In your new Penvio app, go to the Sign On tab
  2. Scroll to SAML Signing Certificates
  3. Click ActionsView IdP metadata
  4. A new tab opens with the metadata XML
  5. Select all (Ctrl/Cmd+A) and copy (Ctrl/Cmd+C)

Step 6: Complete Penvio Configuration

  1. Return to Penvio’s SAML SSO settings
  2. Paste the metadata XML into the IdP Metadata XML field
  3. Verify attribute mapping:
    • Email attribute: email
    • First name attribute: firstName
    • Last name attribute: lastName
    • Groups attribute: groups (if configured)
  4. Optionally enable Enforce SSO to require SSO for all users
  5. Click Enable SAML SSO

Step 7: Assign Users in Okta

  1. In Okta, go to the Assignments tab
  2. Click AssignAssign to People or Assign to Groups
  3. Select users or groups who need access to Penvio
  4. Click Save and Go Back

Testing Okta SSO

  1. Open an incognito/private browser window
  2. Go to your Penvio login page
  3. Enter your email or click Sign in with SSO
  4. You should be redirected to Okta
  5. After authenticating, you’ll return to Penvio

Okta Troubleshooting

IssueSolution
”Invalid SAML response”Verify ACS URL matches exactly (no trailing slash)
User not provisionedCheck that email attribute is mapped correctly
Certificate errorRe-download metadata XML from Okta
”User not assigned”Assign user to the app in Okta’s Assignments tab

Security Considerations

  • Regularly rotate certificates
  • Monitor SSO audit logs
  • Review JIT provisioned users
  • Test failover procedures

Next Steps

Last updated on
OverviewSCIM Provisioning