All Collections
Enterprise features
Single Sign On (SSO SAML)
Single Sign On (SSO SAML)

Enterprise plan subscribers can opt to enable SSO for their workspace.

Gary Gaspar avatar
Written by Gary Gaspar
Updated this week

Overview

Integrating Marker.io with your identity provider (IdP) makes logging in simple and secure for your team members. This allows IT administrators to better manage team access and keeps information more secure 🔐

We currently support most identity providers (Okta, OneLogin, Microsoft Entra ID, etc...) via both SAML 2.0 or Open ID Connect.

Requirements

  • SSO is available for customers on our Enterprise plan.

  • You must be an Admin of the Marker.io workspace to configure SSO.

  • Your Identity Provider (IdP) must support the SAML 2.0 standard or OpenID Connect (OIDC)

Enterprise feature

To enable SSO on your workspace, contact us for a demo ->


How it works

Once you've enabled SSO on your workspace, your team members will be prompted to authenticate via your IdP based on their email, to access their Marker.io member account.

Alternatively, they can also log in via your identity provider's website.

Note: Only members with approved domains can access a workspace via SSO. Guests are not supported. Learn more about user roles in Marker.io here.


Login methods

By default, workspace members can log in via the following methods:

  • Email / Password

  • Email login code / Magic link

  • Google Sign On

  • Single Sign On (SSO) - via SAML or OIDC (if configured)

As an Enterprise customer, you restrict how members authenticate into your workspace for added security.

Exceptions

  • Admins can always log in through any method to prevent lockouts, regardless of the selected authentication method.

  • Guests will always be prompted to log in via other methods than SSO (Guests are not supported by SSO).

  • Members who are part of your workspace, but without an approved domain under your SSO settings, will be prompted to log in via other methods than SSO.


User Provisioning

Marker.io supports Just-in-Time provisioning when using SSO. This allows someone signing in via your IdP to join the workspace automatically as a member, so long as they have access to the Marker.io application through your IdP.

If you want to prevent users in your IdP from joining the workspace automatically, you can manage access in your IdP.

Marker.io currently does not support SCIM.

Domain Join Vs Just-In-Time (JIT) provisioning.

There are multiple ways to provision users to your Marker.io workspace. The "Domain Join" feature allows anyone who logs in to Marker.io with a listed domain, to join the workspace as a member, without necessarily being provisioned via your IdP.

To ensure that only users provisioned via your IdP can access your SSO-enabled workspace, we recommend removing all domains listed in the Domain join setting.


Configuration

Microsoft Entra ID

Step 1: Initiate SAML settings in Marker.io

  1. Log in to your Marker.io account

  2. Go to your Workspace Settings, under Authentication (you will need to be admin).

  3. Under the Authentication Method section, select the SSO SAML option.

  4. A new SSO Configuration section will appear.

  5. Select SAML as an Authentication protocol

  6. Add and verify one or more domains.

  7. Copy your unique ACS URL. You will need it for your configuration in your IdP.

  8. Go to your IdP provider.

Step 2: Create the Marker.io app in your IdP

  1. Login into Microsoft Entra Admin Center

  2. Under Applications > Enterprise Applications, click on the top menu + New application.

  3. Once in the Gallery, click on +Create your own application.

  4. Name the application "Marker.io" and select the radio button that mention (Non-gallery)

  5. Once the Marker.io application is created, select Set up SSO > SAML.

  6. Under Basic SAML Configuration, paste the following values in your application configuration:

    1. Reply URL (Assertion Consumer Service URL): <the is the link from earlier step in the Marker.io interface>

  7. Under Attributes and Claims, you need to set up the mapping as such. The “User Attributes & Claims” must be without namespace, and the capitalization is important

    1. emailadress --> user.mail

    2. name --> user.userprincipalname

    3. firstName --> user.givenname

    4. lastName --> user.surname

    5. Unique User Identifier --> user.mail

  8. Under SAML Certificates, download the Federation Metadata XML file

  9. In Marker.io Authentication page, in the SAML 2.0 Configuration section, upload the Metadata XML file.

  10. Click Save & Enable SSO

Example of a complete, working SAML setup:

Step 3: Assign users

  1. In your IdP, make sure to now assign users and groups to Marker.io. We recommend assigning everyone.

Custom Configuration via SAML 2.0

Step 1: Initiate SAML settings in Marker.io

  1. Log in to your Marker.io account

  2. Go to your Workspace Settings, under Authentication (you will need to be admin).

  3. Under the Authentication Method section, select the SSO SAML option.

  4. A new SSO Configuration section will appear.

  5. Select SAML as an Authentication protocol

  6. Add and verify one or more domains.

  7. Copy your unique ACS URL. You will need it for your configuration in your IdP.

  8. Go to your IdP provider.

Step 2: Create the Marker.io app in your IdP

  1. Create a new Marker.io application in your IdP via SAML 2.0

  2. Paste the following values in your application configuration

    1. ACS: <the is the link from earlier step in the Marker.io interface>

  3. Under Name ID, set it to EmailAddress

  4. Under Application Username set it to EmailAddress

  5. Configure the following user attributes and map them to the Okta values

    1. email --> user.email

    2. firstName --> user.firstName

    3. lastName --> user.lastName

  6. Once setup, copy the Metadata Provider URL or XML file.

  7. In Marker.io Authentication page, in the SAML 2.0 Configuration section, paste the Identity Provider Metadata URL or upload the Metadata XML file.

  8. Click Save & Enable SSO

  9. In your IdP, make sure to now assign users and groups to Marker.io. We recommend assigning everyone.

Custom Configuration via OpenID Connect (OIDC)

Step 1: Create the Marker.io app in your IdP

  1. Create a new Marker.io application in your IdP via OpenID Connect

  2. Paste the following values in your application configuration

    1. Sign-in redirect URIs, add https://api.marker.io/auth/sso/oidc

  3. Finalize app creation

  4. Copy the following values from your newly created app

    1. Client ID

    2. Client Secret

  5. In your IdP, make sure to now assign users and groups to Marker.io. We recommend assigning everyone.

Step 2: Configure OpenID Connect settings in Marker.io

  1. Log in to your Marker.io account

  2. Go to your Workspace Settings, under Authentication (you will need to be admin).

  3. Under the Authentication Method section, select the SSO option.

  4. A new SSO Configuration section will appear.

  5. Select OpenID Connect as an Authentication protocol

  6. Add and verify one or more domains.

  7. Paste the following values from your IdP

    1. Client ID

    2. Client Secret

  8. Click Save & Enable SSO

  9. In your IdP, make sure to now assign users and groups to Marker.io. We recommend assigning everyone.


Troubleshooting

If you encounter errors when setting up SAML SSO, check to make sure your IdP's metadata, SAML requests and responses are valid XML against the SAML XSD schemas. You can do so using this online tool: https://www.samltool.com/validate_xml.php

Note that we do not support the EntitiesDescriptor element. If your IdP's metadata contains this element, extract the contained EntityDescriptor element and try again.


FAQs

How can I add new users?

Once SSO is enabled on your workspace, make sure that members are given access in your identity provider(IdP). New members will be automatically provisioned using Just-In-Time (JIT) provisioning and an account will be created for them so long as they have access through your IdP.

I get an error when logging in. Can you help?

If SSO is enabled for your workspace and you can't log in, please try logging out of your Identity Provider (Okta, Entra ID, ..) and then logging in again. If you get repeated errors, please contact our support team.

Do you support user Provisioning? SCIM?

We support Just-in-Time provisioning when using SSO. However, we don't currently support SCIM at the moment.

Can Guests log in with SSO?

No. Currently, SSO is only supported for Members.

Why is it recommended to remove email domains from the “Domain join” setting before configuring SSO for my workspace?

The “Domain Join” setting allows users with the selected domains to access your workspace without being provisioned via your IdP. To ensure that only users provisioned via your IdP can access your SAML-enabled workspace, disable this feature by removing all email addresses from the “Domain Join” list.

Can I still log in to Marker.io if my identity provider is out of service?

Yes, even with SSO enforced, Workspace admins have the option to log in with email.

Did this answer your question?