Skip to Content
GuidesSAML/SSO

SAML/SSO

Configure Single Sign-On with your identity provider (Okta, Azure AD, Google SAML, etc.). Available on the Agency plan.

Prerequisites

  • An identity provider (IdP) that supports SAML 2.0
  • Admin access to both the IdP and your Expirly workspace

Setup

  1. Go to Settings → Integrations → SAML/SSO
  2. Enter your IdP details:
    • Entry Point URL – The IdP SSO URL (e.g., https://login.microsoftonline.com/.../saml2)
    • Issuer – The entity ID configured in your IdP
    • Certificate – The IdP’s public X.509 certificate (PEM format)
  3. Optional: Enable Force Authentication to require IdP re-authentication on every login
  4. Toggle Enable SAML to activate SSO
  5. Click Save

How It Works

  • When SAML is enabled, users with a matching email domain see a “Sign in with SSO” button on the login page
  • The login form auto-detects SSO availability when the user enters their email address
  • SSO authentication uses the OAuth 2.0 flow via BoxyHQ SAML Jackson (embedded)
  • Users are automatically created in Expirly on first SSO login

ACS (Assertion Consumer Service) URL

Configure this URL in your IdP as the ACS / Reply URL:

https://your-domain.expirly.io/api/auth/saml/acs

Security

  • The SAML Entry Point URL is encrypted with AES-256-GCM before being stored in the database
  • SAML certificates are validated on each authentication attempt
  • Force Authentication prevents session reuse at the IdP level
Last updated on
Calendar FeedCompliance Reports