SSO & SAML Setup

Overview

Single Sign-On (SSO) via SAML 2.0 is available on Enterprise plans. It lets your team log in with their existing identity provider (IdP).

Supported identity providers

**Okta**

**Azure AD (Microsoft Entra ID)**

**Google Workspace**

**OneLogin**

**JumpCloud**

**Any SAML 2.0 compliant IdP**

Setup steps

1. Get GetLaunchDay's service provider details

Go to **Settings → Security → SSO** and copy:

**ACS URL** (Assertion Consumer Service)

**Entity ID**

**Metadata URL**

2. Configure your IdP

In your identity provider's admin panel:

Create a new SAML application

Paste the ACS URL and Entity ID

Set the Name ID format to **email**

Map the following attributes:

- `email` → user's email

- `firstName` → user's first name

- `lastName` → user's last name

3. Upload IdP metadata

Back in GetLaunchDay:

Upload the **IdP metadata XML** or paste the metadata URL

Click **Test Connection**

If successful, click **Enable SSO**

4. Enforce SSO (optional)

Toggle **Enforce SSO** to require all team members to log in through the IdP. Password login will be disabled.

Just-in-time provisioning

When enabled, new users who authenticate via SSO are automatically created in your workspace with the **Viewer** role. You can then upgrade their role as needed.

Troubleshooting

**"SAML response invalid"** — Check that the Name ID format is set to email

**"User not found"** — Ensure just-in-time provisioning is enabled, or manually invite the user first

**Certificate errors** — Re-download the IdP metadata and re-upload