Single sign-on

Learn how to set up SSO for your Attio workspace.

Table of Contents

Single Sign-On (SSO) enables Enterprise workspaces to manage user access through their identity provider using SAML. This setup streamlines authentication by allowing users to log in with their existing company credentials, while giving admins centralized control over who can access Attio.

Enable Single Sign-On (SSO)

SSO (Single Sign-On) can be set up in Attio by a workspace admin following these steps:

  1. Navigate to the Security page:

    • Click on your workspace name.

    • Select Workspace settings from the dropdown.

    • Click Security in the sidebar.

  2. Verify your domains

    • Under Single Sign-On > Domain Verification, add and verify each of the domains you wish SAML to apply to.

    • For example, if you want attio.com to be protected by your SAML provider (such as Okta), you must verify attio.com using our DNS challenge method.

3. Enable SAML

  • Once your domain(s) are verified, click Enable SAML. This will reveal the SAML configuration options.

4. Configure your IdP (Identity Provider)
To set up SAML within your IdP, you will need to create a new app for Attio. As part of this setup, the IdP will typically ask for several URLs. These may be labeled differently depending on the provider, but often include:

  • Entity ID or Identifier

  • Reply URL

  • Assertion Consumer Service (ACS) URL

For all of these fields, use the following format: https://app.attio.com/{workspace.slug}/saml_login

Replace {workspace.slug} with your actual workspace slug. For example, if your workspace slug is acme, the URL would be:

https://app.attio.com/acme/saml_login.

5. Complete the SAML configuration in Attio

  • Back in Attio, set the Identity Provider Sign-in URL and upload your IdP’s certificate.

  • You can then retrieve your unique SAML SP URL for use with IDP-initiated flows directly from the SAML settings panel.

  • You'll need to ensure that the NameID is the email address of the user, as this is how Attio matches the account to the SAML token.

Frequently asked questions

Did this article answer your question?