What is SSO?
Single Sign‑On (SSO) lets your team access Certifier using your company’s identity provider (IdP) instead of separate passwords. With SSO, users authenticate once with your IdP and then securely access Certifier.
What we support
In practice, we support all identity providers that implement the SAML 2.0 protocol (SP-initiated flow only, through a dedicated login page).
For your convenience, we provide quick‑start guides for popular IdPs:
Don’t worry if you use a different SAML 2.0 provider, our support team will help you get set up.
How SSO works with Certifier (at a glance)
Organization‑level setting. SSO is enabled per organization. When enabled, the organization becomes SSO‑enforced (details below).
Users join by invite. Workspace owners invite users. Those users can authenticate via your IdP.
Sign‑in with SSO. Users enter their email on the Sign in with SSO page; we route them to your IdP. On the first successful login, we link their Certifier account with the IdP identity.
⚠️ Note: Mixed membership is not allowed: non‑SSO users cannot be added to an SSO‑enforced organization.
Enabling SSO for your organization
Confirm enforcement & users. Enabling SSO enforces SSO for this organization. We will have to delete or disable users from your organization other than the owner.
Contact Support and share SAML metadata. Send your IdP’s SAML metadata URL (or metadata XML).
We’ll confirm setup. We’ll let you know when your IdP is connected and SSO enforcement is active.
Inviting users
Who can invite: Workspace and organization owners.
Who can be invited: Only users who will authenticate via your configured IdP.
What happens on invite: If the email doesn’t exist in Certifier yet, we create an account linked to your organization’s IdP.
Signing in with SSO
Go to Sign in with SSO.
Enter your work email that has been invited to Certifier.
We redirect you to authenticate in your identity provider.
On first successful sign‑in, we securely link your Certifier user with your IdP identity. Next time, just repeat steps 1–3.
If your email isn’t recognized for SSO, contact your workspace owner to be invited, or to confirm SSO is enabled.
Common scenarios & notes
Email uniqueness: Each email can be used by only one user in Certifier.
Switching to SSO: When your organization moves to SSO, non‑SSO members are removed from organization/workspaces.
Multiple workspaces: A single SSO user can be a member of multiple workspaces within the same SSO‑enforced organization.
Non‑SSO access: Not allowed for members of an SSO‑enforced organization. The organization owner is the only exception, who retains original access to avoid lock-out.
IdP-initiated flows & SCIM: We currently do not support logins initiated by the identity provider and SCIM provisioning.
Troubleshooting
I’m getting “No SSO provider found for this email” error
Ensure you’re using your work email on the SSO page.
Ask your admin to confirm your address is invited to the correct workspace and that SSO is enabled.
I can’t log in but I was a member before SSO
You could be removed as part of SSO enforcement during the set-up period. Ask your workspace owner to re‑invite you.
New employee can’t access Certifier
Confirm they have a mailbox in your domain, appear in the IdP, and are invited to a workspace.
What we’ll need from you
Your IdP SAML metadata (URL file or XML)
Next steps
Ready to enable SSO? Contact Support.
Prefer a step‑by‑step? See our guides for select identity providers:
Different provider? We’re happy to help—if it speaks SAML 2.0, we are likely to support it.