Skip to main content

Single Sign On (SSO SAML)

Enterprise plan subscribers can opt to enable SSO for their workspace.

Single Sign On (SSO) is a key security feature of Marker.io. To keep your Marker.io account as secure as possible, check out our detailed guide:

Integrating Marker.io with your identity provider (IdP) makes logging in simple and secure for your team members. This allows IT administrators to better manage team access and keeps information more secure ๐Ÿ”

We support most identity providers (Okta, OneLogin, Microsoft Entra ID, and others) via both SAML 2.0 and OpenID Connect.

Requirements

  • SSO is available for customers on our Custom plans.

  • You must be an Admin of the Marker.io workspace to configure SSO.

  • Your Identity Provider (IdP) must support the SAML 2.0 standard or OpenID Connect (OIDC)

Enterprise feature

To enable SSO on your workspace, contact us today ->

How it works

Once you've enabled SSO on your workspace, team members will be prompted to authenticate via your IdP based on their email, which gives them access to their Marker.io member account. They can also log in via your identity provider's website.

Otherwise, they can also log in via your identity provider's website.

Note: Only members with approved domains can access a workspace via SSO. Guests are not supported. Learn more about user roles in Marker.io here.

Login methods

By default, workspace members can log in via the following methods:

  • Email / Password

  • Email login code / Magic link

  • Google Sign On

  • Single Sign On (SSO) - via SAML or OIDC (if configured)

As an Enterprise customer, you restrict how members authenticate into your workspace for added security.

Exceptions

  1. Admins can always log in through any method to prevent lockouts, regardless of the selected authentication method.

  2. Guests will always be prompted to log in via methods other than SSO (Guests are not supported by SSO).

  3. Members who are part of your workspace but without an approved domain under your SSO settings will be prompted to log in via methods other than SSO.

User Provisioning

Marker.io supports Just-in-Time provisioning when using SSO. Someone signing in via your IdP can join the workspace automatically as a member, as long as they have access to the Marker.io application through your IdP.

If you want to prevent users in your IdP from joining the workspace automatically, you can manage access in your IdP.

Marker.io does not currently support SCIM.

Domain Join Vs Just-In-Time (JIT) provisioning.

There are multiple ways to provision users to your Marker.io workspace. The "Domain Join" feature allows anyone who logs in to Marker.io with a listed domain, to join the workspace as a member, without necessarily being provisioned via your IdP.

To ensure that only users provisioned via your IdP can access your SSO-enabled workspace, we recommend removing all domains listed in the Domain join setting.

Configuration

Okta

Follow this guide to connect Marker.io to Okta

Microsoft Entra ID

Setting up Marker.io with Entra ID now uses the Marker.io app from the Microsoft Entra App Gallery, which makes configuration much simpler.

  1. Open Microsoft Azure.

  2. Search for Enterprise applications using the top bar field.

  3. Click + New application.

  4. Search for Marker.io, select the Marker.io app from the Microsoft Entra App Gallery, and click Create.

  5. Navigate to the created app.

  6. In the left menu, go to Manage > Single sign on.

  7. In a new tab, open your Marker.io Authentication settings at https://app.marker.io/settings/team/auth.

  8. In Marker.io, copy the ACS URL.

  9. Back in the Entra ID window, click Edit on Basic SAML Configuration.

  10. Add the ACS URL you copied from Marker.io to the Reply URL list.

  11. Click Save at the top-left of the sidebar panel.

  12. In the same page, find the App Federation Metadata Url and copy it.

  13. Back in Marker.io auth settings, paste the copied URL into the Identity Provider URL field and click Configure.

  14. Once configured, click Save & Enable SSO in the top-right corner of the Marker.io panel.

  15. Test a SSO login.

    1. Sign out.

    2. Type your email. It must be an email address that exists in Entra ID and match your SSO domains.

    3. Click Login, then click Sign in using Entra ID.

    4. Follow the steps in Entra ID. After the redirection, your Marker.io login should work.

You're done.

Example of a complete, working SAML setup:

Custom Configuration via SAML 2.0

Step 1: Initiate SAML settings in Marker.io

  1. Log in to your Marker.io account

  2. Go to your Workspace Settings, under Authentication (you will need to be admin).

  3. Under the Authentication Method section, select the SSO SAML option.

  4. A new SSO Configuration section will appear.

  5. Select SAML as the Authentication protocol.

  6. Add and verify one or more domains.

  7. Copy your unique ACS URL. You'll need it when configuring your IdP.

  8. Go to your IdP provider.

Step 2: Create the Marker.io app in your IdP

  1. Create a new Marker.io application in your IdP via SAML 2.0

  2. Paste the following values in your application configuration

    1. ACS / Single sign-on URL:

    2. EntityID, add https://api.marker.io/auth/sso/saml

  3. Under Name ID, set it to EmailAddress

  4. Under Application Username set it to EmailAddress

  5. Configure the following user attributes and map them to the Okta values:

    1. email --> user.email

    2. firstName --> user.firstName

    3. lastName --> user.lastName

  6. Copy the Metadata Provider URL or XML file.

  7. In Marker.io Authentication page, in the SAML 2.0 Configuration section, paste the Identity Provider Metadata URL or upload the Metadata XML file.

  8. Click Save & Enable SSO.

  9. In your IdP, assign users and groups to Marker.io. We recommend assigning everyone.

Custom Configuration via OpenID Connect (OIDC)

Step 1: Create the Marker.io app in your IdP

  1. Create a new Marker.io application in your IdP via OpenID Connect

  2. Paste the following values in your application configuration

    1. Sign-in redirect URIs, add https://api.marker.io/auth/sso/oidc

  3. Finalize app creation

  4. Copy the following values from your newly created app:

  5. In your IdP, make sure to assign users and groups to Marker.io. We recommend assigning everyone.

Step 2: Configure OpenID Connect settings in Marker.io

  1. Log in to your Marker.io account

  2. Go to your Workspace Settings, under Authentication (you will need to be admin).

  3. Under the Authentication Method section, select the SSO option.

  4. A new SSO Configuration section will appear.

  5. Select OpenID Connect as an Authentication protocol

  6. Add and verify one or more domains.

  7. Paste the following values from your IdP

    1. Issuer URL (eg: https://your-workspace.okta.com)

    2. Client ID

    3. Client Secret

  8. Click Save & Enable SSO

  9. In your IdP, assign users and groups to Marker.io. We recommend assigning everyone.

Troubleshooting

If you encounter errors when setting up SAML SSO, check your IdP's metadata, SAML requests and responses are valid XML against the SAML XSD schemas. You can do so using this online tool: https://www.samltool.com/validate_xml.php

Note that we do not support the EntitiesDescriptor element. If your IdP's metadata contains this element, extract the contained EntityDescriptor element and try again.

FAQs

How can I add new users?

Once SSO is enabled on your workspace, give members access in your identity provider (IdP). New members will be automatically provisioned using Just-In-Time (JIT) provisioning, and an account will be created for them as long as they have access through your IdP.

I get an error when logging in. Can you help?

If SSO is enabled for your workspace and you can't log in, try logging out of your Identity Provider (Okta, Entra ID, and similar) and then logging in again. If you get repeated errors, contact our support team.

Do you support user provisioning or SCIM?

We support Just-in-Time provisioning when using SSO. We don't currently support SCIM.

Can Guests log in with SSO?

No. SSO is only supported for Members.

Why is it recommended to remove email domains from the "Domain Join" setting before configuring SSO for my workspace?

The "Domain Join" setting allows users with the selected domains to access your workspace without being provisioned via your IdP. To ensure that only users provisioned via your IdP can access your SAML-enabled workspace, disable this feature by removing all email addresses from the "Domain Join" list.

Can I still log in to Marker.io if my identity provider is out of service?

Yes. Even with SSO enforced, workspace admins can log in with their email.

Related Articles
Managing Your Workspace
Enterprise Onboarding Guide
Set Up Marker.io Securely
Okta integration setup
Capture behind-login-SSO content
Did this answer your question?