Skip to content
English
Contact Us
  • There are no suggestions because the search field is empty.

SAML Authentication + Single Sign-On (SSO)

Learn how to enable SAML-based single sign-on 

Last Updated: May 28, 2026

In this article:

Overview

SAML-based single sign-on (SSO) gives your members access to Assembly through the identity provider (IdP) of your choice. When enabled, members will sign in directly through your identity provider using SSO.

Note: SSO configuration applies to existing Assembly customers only. If you're a Quantum Workplace customer adopting Assembly, contact your implementation team for setup assistance.

Requirements

Only workspace admins can set up, edit, or disconnect SAML authentication. Your admin must also have access to your identity provider's (IdP) settings.

Email addresses must match exactly between your IdP and Assembly for both the admin setting up SAML and any team member signing in.

Before You Begin

Check your plan: Only Business and Enterprise plans support SAML authentication. If you downgrade to Team or Free, your SAML connection will be lost.

Gather your IdP details: Before enabling SAML, you'll need:

  • Your IdP's SAML 2.0 Endpoint URL (HTTP)
  • Your IdP Entity ID (also called Identity Provider Issuer)
  • Your IdP's x.509 Certificate (public certificate)
  • Service Provider Issuer URL and Service Provider Callback URL (we'll provide these)

If your IdP is Okta, you can use the IdP URL instead of the SAML 2.0 Endpoint URL.

Enable SAML Authentication

  1. Go to my.joinassembly.com.
  2. Click the Admin icon in the lower left corner of your left navigation bar.
  3. Click Security & Login in the left sidebar.
  4. Click SAML Authentication.
  5. Click Enable.
  6. Enter your SAML 2.0 Endpoint URL (HTTP) in the first field.
  7. In the Identity Provider Issuer field, enter your IdP Entity ID.
  8. Copy your IdP's x.509 Certificate and paste the entire certificate into the Public Certificate field.
  9. In the next section, follow the instructions under "Configure Your Identity Provider" below.
  10. Under Advanced Options, click Expand to configure how your IdP signs the SAML response. (These options are optional.)
  11. If you need end-to-end encryption, check Sign AuthnRequest to display an encryption certificate.
  12. Under Settings, choose whether SAML authentication is Required, Partially Required (e.g., optional for manually-invited guests), or Optional.
  13. Click Test Configuration to verify your settings. Fix any errors before saving.
  14. Once testing is successful, click Enable SAML to save and activate SAML authentication.

[Screenshot: SAML configuration form]

Tip for Guest Accounts: If you have manually-invited members who don't have IdP accounts, we recommend choosing "Partially Required" so they can still sign in with email and password.

Configure Your Identity Provider

After you've entered your IdP details in Assembly, you must configure the Assembly app in your IdP so the two systems can communicate.

Step 1: Add Assembly URLs to Your IdP

  1. In your Assembly SAML settings, copy the Service Provider Issuer URL.
  2. Go to your IdP's configuration panel and paste this URL.
  3. Back in Assembly, copy the Service Provider Callback URL.
  4. Paste this into your IdP as well.

Step 2: Upload Assembly Icons

  1. In your Assembly SAML settings, download the Assembly portal icons.
  2. Upload these icons to your IdP dashboard so Assembly appears branded and recognizable to your team.

Step 3: Configure NameID and Email Mapping

In your IdP settings, ensure the following:

  • NameID format: Set to Email address.
  • Email attribute: Make sure your IdP sends the user's email address in the SAML response. Name this attribute Email.
  • Match Assembly emails: Ensure email addresses in your IdP exactly match the email addresses in your Assembly workspace. Mismatches will prevent sign-in.

[Screenshot: IdP configuration example]

Edit Your SAML Configuration

To update your SAML settings at any time:

  1. Go to Security & Login > SAML Authentication.
  2. Click Edit.
  3. Make your changes.
  4. Click Test Configuration to verify.
  5. Click Save to apply changes. (If you click Cancel before testing and saving, your changes will be discarded.)

Note: Any saved changes take effect immediately for all users.

Allow Self-Service Account Creation

By default, only invited or queued members can access Assembly. You can enable self-service account creation so anyone with an IdP account can sign in:

  1. In your SAML settings, find Allow anyone with an account in your IdP to create an Assembly account.
  2. Toggle this setting ON.

When enabled: Users with IdP access can click the Assembly card in their IdP dashboard to create an Assembly account instantly. If they already have a pending, queued, or requested invitation, their account will be automatically created and the invitation removed.

When disabled: Users clicking Assembly in their IdP can only submit an access request, which appears in your Admin panel's Requests tab for approval.

What to Expect After Enabling SSO

Once SAML is enabled:

  • Users already signed in will remain signed in.
  • All other users will receive an email prompting them to authenticate with SAML (unless SAML is optional).
  • When users sign in, they'll authenticate through your IdP instead of entering Assembly credentials.

[Screenshot: SSO sign-in prompt]

Disable SAML Authentication

If you need to turn off SAML SSO:

  1. Go to Security & Login > SAML Authentication.
  2. Click Edit.
  3. Click Disable SAML.

After disabling:

  • Users already signed in will remain signed in.
  • All other users will receive an email prompting them to authenticate with SSO, a password, or to reset their password if they don't have one.
  • Your SAML settings will be cleared. To re-enable SAML later, you'll need to enter all configuration details again.

FAQs

Can I require SSO for some users but not others?

Yes. Choose Partially Required when enabling SAML. This lets you require SSO for most users while allowing manually-invited guests to sign in with email and password.

What if my team member's email doesn't match between my IdP and Assembly?

Email addresses must match exactly for SAML to work. If there's a mismatch, the user won't be able to sign in through SSO. Update the email in either your IdP or Assembly to ensure they match.

Do I need to set up a connector in my IdP first?

Yes. Before enabling SAML in Assembly, you should set up an Assembly connector or app in your IdP's dashboard. Your IdP will provide you with the SAML Endpoint URL, Entity ID, and x.509 Certificate—these are what you'll enter in Assembly.

Will my SAML connection break if I change my password?

No. SAML uses certificates, not passwords. However, if your IdP's security settings change or your admin credentials are revoked, you may need to reconnect.

What happens if I downgrade my plan?

SAML is only available on Business and Enterprise plans. If you downgrade to Team or Free, your SAML connection will be disabled and your settings will be cleared.

Can I use more than one identity provider with Assembly?

No. Only one IdP can be connected to Assembly at a time. If you need to switch IdPs, disable SAML, then set up a new connection with your new IdP.