Overview
Teams on our Enterprise tier can opt to enable SAML SSO to manage logins through an identity provider. We currently support most identity providers (Okta, OneLogin, Google Workspaces, Auth0, etc.).
Once SAML/SSO is enabled and domains are verified, all team members will be required to login via SSO by default, thus, disabling any other login method type. User sessions won't be logged out or notified at the time of enabling, but the next time they sign in they will automatically have to use SAML to regain access.
Members can login via your identity provider's website or automatically through Meshy. SSO can only be configured by team owners or admins.
Configuring your identity provider
You will need to add Meshy into your identity provider before logging in with SSO for the first time. Please consult your identity provider's documentation for specific instructions on how to add new applications.
You may need to provide the below information. Optional information can likely be left blank if not required.
Protocol | SAML 2.0 |
Single Sign On URL (Also known as ACS URL or Reply URL) | |
Recipient URL | |
Destination URL | |
Audience Restriction (Also known as Entity ID) | |
Name ID format | EmailAddress |
[Optional] Default Relay State |
[Optional] Attribute Statements
Name | Format | Value |
Basic | user.email | |
user_name | Basic | user.login |
first_name | Basic | user.firstName |
last_name | Basic | user.lastName |
Configuration in Meshy
To configure SSO in Meshy, you must be an enterprise team owner or admin.
Go to your Team Settings page
Find Authentication Settings section at the bottom of the page
Enable SSO/SAML
Enter Sign-in Info
Either enter a sign-in URL or upload an XML file. This info comes from your identity provider (IdP). Some IdPs (like Okta) give you a URL, while others (like Google Workspace) provide an XML file. Check your IdP's documentation to locate this.
Add Domains for SSO. After saving changes, your domains will show as Unverified. Note: Subdomains must be added separately.
Get the Domain Verification Code
Click the "Unverified" button next to a domain. A pop-up will show a text string. You’ll need to add this to your DNS to confirm ownership. If you're not sure how, ask your IT team for help.
Complete Verification
Once the DNS record is added, go back to the Authentication Settings page, click "Unverified" again, then click "Verify." Domains can only be verified one at a time.
SSO enabled successfully
If verified, the domain will show as "Verified". All users with emails from that domain will now log into Meshy using SSO.