How can I configure SSO for multiple workspaces with the same domain?

You only need to set up SSO once. In Attio, users log in to the app itself rather than to a specific workspace. Once SSO is configured for your domain, any user with that domain can log in and access all of the workspaces they’re a member of. This means you don’t have to configure SSO separately for each workspace. The login method is determined by the user’s email domain, so a single setup ensures that SSO works across all workspaces under that domain. If someone is a member of multiple workspaces using the same domain, logging in with SSO will take them first to the workspace where SSO was set up. From there, they can manually switch to any of their other workspaces .

How do I change my Attio email address if my workspace uses SSO?

The way this works depends on whether the new email uses the same domain as the one currently associated with your account. SSO in Attio is enforced at the domain level, not the individual email address. If your workspace has SSO enabled for examplecorp.com, any email ending in @examplecorp.com will continue to log in via SSO. Changing your email from alex.jones@examplecorp.com to alex.smith@examplecorp.com, for example, does not require any changes to your SSO setup and you can update the email directly in Attio. If you change your email to a different domain, such as alex.jones@samplemail.com, SSO will no longer apply because the new domain is not verified for SSO in the workspace. In that case, you will need to sign in using email and password unless the new domain is added and verified for SSO.

Single sign-on

Learn how to set up SSO for your Attio workspace.

Table of Contents

Available on enterprise plan.

Only admins can set up Single Sign-On.

Single Sign-On (SSO) enables Enterprise workspaces to manage user access through their identity provider using SAML. This setup streamlines authentication by allowing users to log in with their existing company credentials, while giving admins centralized control over who can access Attio.

Enable Single Sign-On (SSO)

SSO (Single Sign-On) can be set up in Attio by a workspace admin following these steps:

Navigate to the Security page:
- Click on your workspace name.
- Select Workspace settings from the dropdown.
- Click Security in the sidebar.
Verify your domains
- By Domain verification, click + Add domain and verify each of the domains you wish SAML to apply to.
- For example, if you want attio.com to be protected by your SAML provider (such as Okta), you must verify attio.com using the DNS challenge method.

Security page with domain verification option

After adding a domain, click the ⋮ icon to its right to access additional options:

Show DNS details: View the DNS records used to verify the domain.
Restrict email edits: Prevent workspace members with an email on this domain from changing their login email. When enabled, affected members won't see the option to edit their email on their profile page.
Remove: Delete the domain from your workspace.

3. Enable SAML

Once your domain(s) are verified, click the toggle by Enable single sign-on. This will reveal the SAML configuration options.
Enable Require SSO for sign-in to only allow users to sign in through your identity provider, or disable to allow other sign-in methods.

Single sign-on settings with toggles for enabling and requiring SSO

4. Configure your IdP (Identity Provider)
To set up SAML within your IdP, you will need to create a new app for Attio. As part of this setup, the IdP will typically ask for several URLs. These may be labeled differently depending on the provider, but often include:

Entity ID or Identifier
Reply URL
Assertion Consumer Service (ACS) URL

For all of these fields, use the following format: https://app.attio.com/{workspace.slug}/saml_login

Replace {workspace.slug} with your actual workspace slug. For example, if your workspace slug is acme, the URL would be:

https://app.attio.com/acme/saml_login.

5. Complete the SAML configuration in Attio

In Attio, click Configure under Single sign-on (SSO).
Enter your identity provider sign-in URL.
Upload your identity provider’s Security certificate (X.509).
Copy your Attio SSO URL and add it to your identity provider configuration.

Make sure your identity provider sends the user’s email address as the NameID, as Attio uses this to match users to accounts.

SSO configuration window for inputting provider URL and uploading security certificate

Introductions

Workflows

Sequences

Reports

Attio for product-led growth

Attio 101

Attio AI

Managing your data

Email & calendar

Imports & exports

Productivity & collaborating

Automations

Tools and extensions

Account settings

Workspace settings & billing

Industry guides

Support

Automations apps

Zapier app

Other apps

Single sign-on

Enable Single Sign-On (SSO)

Frequently asked questions

Enable Single Sign-On (SSO)Copy link

Frequently asked questions

How can I configure SSO for multiple workspaces with the same domain?

How do I change my Attio email address if my workspace uses SSO?

Enable Single Sign-On (SSO)