Skip to main content

Single Sign‑On (SSO) in Certifier

This guide explains what SSO is, how it works with Certifier, and how to get your organization set up.

Caroline Tyrko avatar
Written by Caroline Tyrko
Updated over 3 weeks ago

What is SSO?

Single Sign‑On (SSO) lets your team access Certifier using your company’s identity provider (IdP) instead of separate passwords. With SSO, users authenticate once with your IdP and then securely access Certifier.

What we support

In practice, we support all identity providers that implement the SAML 2.0 protocol (SP-initiated flow only, through a dedicated login page).

For your convenience, we provide quick‑start guides for popular IdPs:

Don’t worry if you use a different SAML 2.0 provider, our support team will help you get set up.

How SSO works with Certifier (at a glance)

  1. Organization‑level setting. SSO is enabled per organization. When enabled, the organization becomes SSO‑enforced (details below).

  2. Users join by invite. Workspace owners invite users. Those users can authenticate via your IdP.

  3. Sign‑in with SSO. Users enter their email on the Sign in with SSO page; we route them to your IdP. On the first successful login, we link their Certifier account with the IdP identity.

⚠️ Note: Mixed membership is not allowed: non‑SSO users cannot be added to an SSO‑enforced organization.

Enabling SSO for your organization

  1. Confirm enforcement & users. Enabling SSO enforces SSO for this organization. We will have to delete or disable users from your organization other than the owner.

  2. Contact Support and share SAML metadata. Send your IdP’s SAML metadata URL (or metadata XML).

  3. We’ll confirm setup. We’ll let you know when your IdP is connected and SSO enforcement is active.

Inviting users

  • Who can invite: Workspace and organization owners.

  • Who can be invited: Only users who will authenticate via your configured IdP.

  • What happens on invite: If the email doesn’t exist in Certifier yet, we create an account linked to your organization’s IdP.

Signing in with SSO

  1. Go to Sign in with SSO.

  2. Enter your work email that has been invited to Certifier.

  3. We redirect you to authenticate in your identity provider.

  4. On first successful sign‑in, we securely link your Certifier user with your IdP identity. Next time, just repeat steps 1–3.

If your email isn’t recognized for SSO, contact your workspace owner to be invited, or to confirm SSO is enabled.

Common scenarios & notes

  • Email uniqueness: Each email can be used by only one user in Certifier.

  • Switching to SSO: When your organization moves to SSO, non‑SSO members are removed from organization/workspaces.

  • Multiple workspaces: A single SSO user can be a member of multiple workspaces within the same SSO‑enforced organization.

  • Non‑SSO access: Not allowed for members of an SSO‑enforced organization. The organization owner is the only exception, who retains original access to avoid lock-out.

  • IdP-initiated flows & SCIM: We currently do not support logins initiated by the identity provider and SCIM provisioning.

Troubleshooting

  • I’m getting “No SSO provider found for this email” error

    • Ensure you’re using your work email on the SSO page.

    • Ask your admin to confirm your address is invited to the correct workspace and that SSO is enabled.

  • I can’t log in but I was a member before SSO

    • You could be removed as part of SSO enforcement during the set-up period. Ask your workspace owner to re‑invite you.

  • New employee can’t access Certifier

    • Confirm they have a mailbox in your domain, appear in the IdP, and are invited to a workspace.

What we’ll need from you

  • Your IdP SAML metadata (URL file or XML)

Next steps

  • Ready to enable SSO? Contact Support.

  • Prefer a step‑by‑step? See our guides for select identity providers:

  • Different provider? We’re happy to help—if it speaks SAML 2.0, we are likely to support it.

Did this answer your question?