Guides
v2.0

SAML SSO

Suggest Edits

EnvKey Business Cloud and Business Self-Hosted offer SSO with SAML 2.0. You can use any Identity Provider that supports SAML 2.0, but we specifically test and provide documentation for Okta, Azure AD, and Google Workspaces.

If you're attempting to use another Service Provider and running into problems, please reach out to [email protected] and we'll be happy to help.

Identity Providers

Okta

1.) Setup a new SAML Service Provider in EnvKey.

  • In the EnvKey UI, sign in to your org, then click the Org, account, and device settings menu with your organization's name in it at the top-left of the screen. From there, click My Org. Then click on the SSO tab.

  • Under SAML Connections, click Connect A SAML Provider. Select Okta as the Provider and click Next. You'll now see a list of generated Service Provider Settings.

2.) Sign in to Okta and go to your dashboard, then select Applications > Add Application > Create New App.

3.) In the dialog Create New Application Integration select Platform: Web and Sign on method: SAML 2.0.

4.) Name the app EnvKey and click Next.

5.) Under the SAML Settings editing screen:

  • Enter the Assert Url / ACS Url / Callback Url from the EnvKey UI into the Single sign on URL field.

  • Enter the Entity Id / XML Metadata Url from EnvKey UI into the Audience URI field.

  • Set Name ID format to Persistent.

  • Leave the fields under Advanced Settings with their default values.

  • In the section of the form with Name, Name format (optional), Value, set the following:

    • Name: email_address, Name format: Basic, Value: user.email

  • Click Next to save.

6.) Back in the EnvKey UI, scroll to the bottom of the Service Provider Settings screen and click Next.

7.) In Okta, go to the created application, select Sign On then View Setup Instructions.

  • Enter the Okta Identity Provider Issuer into the EnvKey UI as the Entity Id.

  • Enter the Okta Identity Provider Single Sign-On UR into the EnvKey UI as the Login Url.

  • Copy the text of the Okta X.509 Certificate and add it to the EnvKey UI under Certificates.

  • In the EnvKey UI, click Save And Finish.

8.) In Okta, under Directory > People, you can now assign users to the application. And when you invite a new user to EnvKey, you can select your SAML connection as the Authentication Method which will require them to authenticate with Okta when accepting the invitation, and later on subsequent sign ins.

9.) We recommend also setting up SCIM for automatic provisioning of invite candidates and de-provisioning from EnvKey when a user's access is removed in Okta.

Azure AD

1.) Setup a new SAML Service Provider in EnvKey.

  • In the EnvKey UI, sign in to your org, then click the Org, account, and device settings menu with your organization's name in it at the top-left of the screen. From there, click My Org. Then click on the SSO tab.

  • Under SAML Connections, click Connect A SAML Provider. Select Azure AD as the Provider and click Next. You'll now see a list of generated Service Provider Settings.

2.) Go to portal.azure.com and sign in, then go to Enterprise Applications. Click + New Application, then click Create your own application. Enter EnvKey for the friendly name, select Integrate any other application you don't find in the gallery, and click Create the app.

3.) On the newly created app page, go to the left menu and click Manage > Single sign-On, then SAML.

4.) Click Edit in the Basic SAML Configuration section, then:

  • Click Add Identifier under Identifier (Entity ID). Enter the Entity Id / XML Metadata Url from the EnvKey UI.

  • Click Add Reply Url under Reply URL (Assertion Consumer Service URL) Enter the Assert Url / ACS Url / Callback Url from the EnvKey UI.

  • Leave other fields blank.

  • Save and close the form.

5.) Click Edit in the Attributes & Claims section, then:

  • Set the Unique User Identifier (Name ID) claim's Name identifier format to persistent.

  • Ensure the emailaddress claim is set to user.mail.

6.) Back in the EnvKey UI, scroll to the bottom of the Service Provider Settings screen and click Next.

7.) In the Azure Set up EnvKey section:

  • Enter the Azure Azure AD Identifier into the EnvKey UI as the Entity ID.

  • Enter the Azure Login URL into the EnvKey UI as the Login Url.

8.) In the Azure SAML Certificates section:

  • Click Edit next to Token signing certificate, then click the button for the active certificate, then PEM certificate download.
  • Copy the text of the downloaded certificate, and add it in the EnvKey UI under Certificates.

9.) Click Save & Finish in the EnvKey UI.

10.) In the Azure portal, in the sidebar while viewing the app, select Users and Groups. You can now assign users to the application. And when you invite a new user to EnvKey, you can select your SAML connection as the Authentication Method which will require them to authenticate with Azure AD when accepting the invitation, and later on subsequent sign ins.

11.) We recommend also setting up SCIM for automatic provisioning of invite candidates and de-provisioning from EnvKey when a user's access is removed in Azure AD.

Google Workspaces

1.) Setup a new SAML Service Provider in EnvKey.

  • In the EnvKey UI, sign in to your org, then click the Org, account, and device settings menu with your organization's name in it at the top-left of the screen. From there, click My Org. Then click on the SSO tab.

  • Under SAML Connections, click Connect A SAML Provider. Select Google as the Provider and click Next. You'll now see a list of generated Service Provider Settings.

2.) Signed in to your Google Workspace account, go to Google Admin Console > Apps.

3.) Go to SAML apps > Manage SSO and User Provisioning, then Add App > Add custom SAML app.

4.) Google will display settings that need to be pasted into the EnvKey UI in step 7.

  • Copy the SSO URL and keep it in a temporary text file/note.
  • Copy the Entity ID and keep it in a temporary text file/note.
  • Download the certificate. It will have a name like Google_2026-1-18-00000_SAML2_0.

5.) Continue to Service provider details. Enter the following into Google’s form:

  • Copy the Assert Url / ACS Url / Callback Url from the EnvKey UI into the ACS URL field the Google form.
  • Copy the Entity Id / XML Metadata Url from the EnvKey UI into the Entity ID field in the Google form.
  • Ensure the certificate downloaded in step 4 is selected for the IdP certificate.
  • For Name ID format, select EMAIL with Basic Information > Primary email or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

6.) Back in the EnvKey UI, scroll to the bottom of the Service Provider Settings screen and click Next.

7.) Now add the following values from step 4 into the EnvKey UI form:

  • Copy the SSO URL you saved in step 4 into the Login URL field in the EnvKey UI.
  • Copy the Entity ID you saved in step 4 into the Entity ID field in the EnvKey UI.
  • Copy the text of the certificate you downloaded in step 4 and add it under Certificates in the EnvKey UI.

8.) Now that Google has a SAML EnvKey app setup, it must be enabled for all users. While viewing/editing the app, enter User Access then change Service status to Enabled for everyone. According to Google, it may take up to 24 hours to propagate to all users, depending on your configuration.

9.) You can now assign users to the application in Google. And when you invite a new user to EnvKey, you can select your SAML connection as the Authentication Method which will require them to authenticate with Google when accepting the invitation, and later on subsequent sign ins.

Updated about 1 year ago