You want to share Notion pages with external users but your organization requires OAuth-based Single Sign-On for security compliance. Notion supports OAuth SSO through its Guest Authentication feature, which enforces identity provider validation before a guest can view a shared page. This article explains how to configure OAuth SSO for page sharing in Notion, covering prerequisites, step-by-step setup, and common configuration pitfalls.
Key Takeaways: Configuring OAuth SSO for Notion Page Sharing
- Settings & Members > Settings > Guest Authentication: Enforce SSO by selecting “Require SSO for guests” and choosing your identity provider.
- Share button > Invite guests: After SSO is configured, external users must authenticate via your IdP before accessing the page.
- OAuth 2.0 client ID and secret: Register Notion as an application in your IdP to generate these credentials for the SSO connection.
What OAuth SSO Does for Notion Page Sharing
OAuth SSO lets you control who can access shared Notion pages by requiring guests to authenticate through your organization’s identity provider. Instead of sharing a public link that anyone can open, you enforce a sign-in step that validates the user against your IdP, such as Azure Active Directory, Okta, or Google Workspace. The feature is called Guest Authentication and is available on Notion Business and Enterprise plans. Before configuring it, you need admin access to your Notion workspace and the ability to register an OAuth 2.0 application in your identity provider.
How Guest Authentication Works
When you enable Guest Authentication and require SSO, any guest who clicks a shared Notion page link is redirected to your IdP login page. After successful authentication, the IdP sends an OAuth token back to Notion. Notion verifies the token and grants access to the page. The guest does not need a Notion account; they authenticate using their existing identity provider credentials. The SSO requirement applies to all pages shared with guests in that workspace. You can also set an expiration time for guest access.
Prerequisites
You need a Notion workspace on the Business or Enterprise plan. You must be a workspace owner or admin. Your identity provider must support OAuth 2.0. You need the ability to create an OAuth 2.0 application in that IdP to obtain a client ID and client secret. For this guide, we will use Azure Active Directory as the example IdP, but the steps are similar for Okta, Google, or any OAuth 2.0 provider.
Steps to Configure OAuth SSO for Notion Page Sharing
- Register Notion as an OAuth 2.0 application in your identity provider
In your IdP admin console, create a new application registration. Set the redirect URI tohttps://www.notion.so/oauth/callback. Note the generated client ID and client secret. For Azure AD, go to Azure Active Directory > App registrations > New registration. Enter a name like “Notion Guest SSO” and set the redirect URI tohttps://www.notion.so/oauth/callback. Click Register and copy the Application (client) ID and client secret. - Open Notion workspace settings
In Notion, click Settings & Members in the left sidebar. Then click Settings in the top navigation bar. Scroll down to the Guest Authentication section. - Enable Guest Authentication
Toggle the Guest Authentication switch to On. A new setting appears labeled “Require SSO for guests.” Toggle that switch to On as well. - Configure the SSO connection
Click the Configure button under the SSO section. A dialog opens asking for the OAuth provider details. Enter the following:
– Provider: Select your IdP from the list or choose Custom OAuth 2.0
– Client ID: Paste the client ID from step 1
– Client Secret: Paste the client secret from step 1
– Authorization Endpoint: Enter your IdP’s authorization URL, for examplehttps://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
– Token Endpoint: Enter your IdP’s token URL, for examplehttps://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
– User Info Endpoint: Enter your IdP’s user info URL, for examplehttps://graph.microsoft.com/v1.0/me
– Scope: Enteropenid profile emailor the scopes your IdP requires
Click Save. - Test the SSO connection
Create a test page in Notion. Click the Share button in the top-right corner. Under Invite guests, enter the email address of a test user who exists in your IdP. Click Invite. The test user receives an email with a link to the page. When they click the link, they are redirected to your IdP login page. After they sign in, they should see the Notion page. If the page does not load, check the IdP logs for errors. - Set guest access expiration (optional)
In the Guest Authentication settings, you can set a default expiration time for guest access. Choose from 1 day, 7 days, 30 days, or No expiration. This applies to all new guest invitations.
If Notion Page Sharing With SSO Fails to Work
Guest sees a blank page after SSO login
This usually means the redirect URI is incorrect or the token endpoint is not returning the expected user info. Double-check that the redirect URI in your IdP exactly matches https://www.notion.so/oauth/callback. Verify that the User Info Endpoint returns a JSON object with an email field. If your IdP uses a different field name for the email, Notion may not recognize the user.
SSO toggle is grayed out
The Require SSO for guests toggle is only available on Business and Enterprise plans. If you are on the Plus or Free plan, you cannot enable SSO. Upgrade your workspace plan. Also verify that you are a workspace owner or admin; members cannot change this setting.
Guest receives “Access Denied” after authentication
The guest’s email domain may not match the domain configured in your IdP. Notion matches the email returned by the IdP to the email you entered when inviting the guest. If the guest uses a different email alias, the match fails. Invite the guest using the exact email that their IdP returns.
OAuth endpoints return 400 errors
Ensure the Authorization Endpoint and Token Endpoint URLs are correct for your IdP. For Azure AD, the endpoints include your tenant ID. For Okta, the endpoints include your Okta domain. Check that the client secret has not expired. Generate a new secret in your IdP and update it in Notion.
Notion Guest Authentication With SSO vs Without SSO
| Item | With SSO | Without SSO |
|---|---|---|
| Guest login method | OAuth 2.0 via identity provider | Email magic link |
| Required Notion plan | Business or Enterprise | All plans |
| Guest needs IdP account | Yes | No |
| Centralized access control | Yes, managed in IdP | No, managed per page |
| MFA enforcement | Yes, via IdP policies | No |
| Session timeout | Controlled by IdP token lifetime | Notion default session |
Configuring OAuth SSO for Notion page sharing gives you centralized control over guest access and enforces your organization’s authentication policies. After setup, test with a small group of users before rolling out to all guests. To further secure your workspace, review the Guest Authentication audit log in Settings & Members > Audit Log to see when guests sign in and which pages they access.