Guides
SSO Setup
Configure Single Sign-On for your Sempleo workspace using SAML or OIDC.
SSO is available on the Professional and Enterprise plans.
Single Sign-On lets your team log in to Sempleo using your organization's identity provider (IdP).
Supported Protocols
- SAML 2.0 — Works with Okta, Azure AD, OneLogin, Google Workspace, and any SAML 2.0-compliant IdP
- OIDC — OpenID Connect support for modern identity providers
Configuration Steps
1. Gather IdP Information
From your identity provider, you'll need:
- IdP SSO URL — The login endpoint
- IdP Entity ID — The unique identifier for your IdP
- IdP Certificate — The X.509 certificate for signature verification
2. Configure in Sempleo
- Go to Settings → Security → SSO
- Select your protocol (SAML or OIDC)
- Enter the IdP details
- Sempleo provides an SP Entity ID and ACS URL to configure in your IdP
3. Configure Your IdP
In your identity provider:
- Create a new SAML/OIDC application
- Set the ACS URL to the value provided by Sempleo
- Set the Entity ID to the value provided by Sempleo
- Map the required attributes:
email(required)firstName(recommended)lastName(recommended)
4. Test and Enable
- Click Test Connection in Sempleo
- Log in via your IdP to verify the flow works
- Enable SSO for your workspace
- Optionally, enforce SSO-only login (disables password login)
Provisioning
SSO supports Just-in-Time (JIT) provisioning:
- When a user logs in via SSO for the first time, their account is automatically created
- They are assigned the default role (Member) and can be assigned to teams by an admin
- SCIM provisioning for automatic user lifecycle management is on the roadmap
Troubleshooting
| Issue | Solution |
|---|---|
| "Invalid SAML response" | Check that the ACS URL and Entity ID match exactly |
| Certificate errors | Ensure the IdP certificate is current and correctly pasted |
| User not provisioned | Verify the email attribute is mapped correctly |
| Login loops | Clear browser cookies and try again |