SAML SSO 配置
Notion provides Single Sign-On (SSO) functionality for Business and Enterprise customers to access the app through a single authentication source. This allows IT administrators to better manage team access and keeps information more secure 🔐
跳转到常见问题
Note: This feature is only available for users on the Business Plan or Enterprise Plan.
With SSO, you can streamline user management across systems, and remove the need for end-users to remember and manage multiple passwords by allowing them to sign in at one single access point and enjoy a seamless experience across multiple applications.
Note: Only members can access a workspace via SSO. Guests will need to use another method to log into Notion.
Prerequisites for SSO with Notion
To use SSO with Notion:
Your workspace must be on a Business Plan or Enterprise Plan.
Your Identity Provider (IdP) must support the SAML 2.0 standard. See instructions for Identity Provider setup for specific apps here →
A workspace owner must configure SAML SSO for the Notion workspace.
At least one domain must be verified by a workspace owner.
Enable SAML SSO for a single workspace
To set up SAML SSO for your workspace, a workspace owner can:
Go to
Settings, then select theSettingstab.In the
Allow email domainssection, remove all email domains.Then select the
Identity & provisioningtab.
Verify one or more domains. See instructions for domain verification here →
Toggle on
Enable SAML SSOand the SAML SSO Configuration modal will automatically appear and prompt you to complete the set-up.The SAML SSO Configuration modal is divided into two parts:
The
Assertion Consumer Service (ACS) URLneeds to be entered in your Identity Provider (IdP) portal.The
Identity Provider Detailsis a field in which you need to provide either an IdP URL or IdP metadata XML.
Note: Linking additional workspaces to a SAML SSO configuration is only possible for customers on the Enterprise Plan. For more information, contact sales →
From the workspace where you have verified your domain and enabled SAML SSO, there is a Linked workspaces section listing all of the workspaces associated with your SAML SSO configuration.
Users with a verified email address who have access to the primary workspace or one of the linked workspaces will be able to log in via SAML SSO.
Sales-assisted Enterprise customers can add Enterprise workspaces to their SAML SSO configuration or remove them by reaching out to [email protected].
Enforce SAML SSO
Once you have completed your configuration of SAML SSO for a single workspace, users will be able to log in via SAML SSO in addition to other log-in methods such as username/password and Google Authentication.
To ensure users can only log in using SAML SSO and no other method, update the
Login methodtoOnly SAML SSO. Once this happens, workspace users will be logged out and required to log back in using SAML SSO.
SAML SSO will only be enforced for users who use your verified domain and have access to the primary workspace or a linked workspace.
Guests invited to pages in a Notion workspace can’t use SAML SSO to login. Instead, they’ll always use their e-mail and password or log in with Google or Apple.
Workspace owners will always have the option to bypass SAML SSO by using their email and password credentials. This is to allow them to access Notion in the event of IdP/SAML failure. They will be able to log in and disable or update their configuration.
Notion supports Just-in-Time provisioning when using SAML SSO. This allows someone signing in via SAML SSO to join the workspace automatically as a member.
To enable Just-in-Time provisioning, go to Settings → Identity & provisioning and make sure that Automatic account creation is enabled.
Note: We don’t recommend enabling Just-in Time provisioning if you are using SCIM. Having an “allowed email domain” in place allows users on that domain to join the workspace so there could be a mismatch between membership in their Identity Providers and Notion.
常见问题
Why is the current Enable SAML SSO greyed out?
Why is the current Enable SAML SSO greyed out?
The most common reason is that you have not yet verified ownership of a domain. If this is the case, you'll notice that you either don’t have any domains listed in the verify email domain section or the domain is pending verification.
Why can’t I edit my SAML SSO settings?
Why can’t I edit my SAML SSO settings?
It's possible you're trying to modify the verified domains or SSO configuration from a linked workspace that's already associated with another SSO configuration.
In linked workspaces, all domain management and SSO configuration settings are read-only. To modify the SSO configuration or remove this workspace from the SSO configuration, you must have access to the primary workspace. The name of the primary workspace can be found at the top of the Identity & Provisioning tab in your settings.
Why do I need to verify a domain to enable SSO?
Why do I need to verify a domain to enable SSO?
We ask that the email domain ownership is validated to ensure that only the owner of the domain can customize how their users log into Notion.
I'm having trouble setting up SSO.
I'm having trouble setting up SSO.
Try using a URL instead of an XML.
Test the setup process with a test account before enforcing it for users.
If neither of these options help, reach out to support at
Why should I remove email domains from the “Allowed Email Domains” setting before configuring SAML SSO for my workspace?
Why should I remove email domains from the “Allowed Email Domains” setting before configuring SAML SSO for my workspace?
The Allowed Email Domain setting allows users with the selected domains to access your workspace without being provisioned via your IdP. To ensure that only users provisioned via your IdP can access your SAML-enabled workspace, disable this feature by removing all email addresses from the Allowed Email Domain list.
Can I still log in to Notion if my Identity Provider (IdP) is out of service?
Can I still log in to Notion if my Identity Provider (IdP) is out of service?
Yes, even with SAML enforced, workspace owners have the option to log in with email. A workspace owner can change the SAML configuration to disable Enforce SAML so users can log in with email again.
How do I allow admins of other workspaces in my SAML configuration create new workspaces?
How do I allow admins of other workspaces in my SAML configuration create new workspaces?
Only the admins of your primary workspace will be able to create new workspaces using your verified domain(s). Please reach out to our support team ([email protected]) to switch your primary SAML workspace to another linked workspace in your SAML configuration.
