If your organization requires centralized authentication, Notion supports Single Sign-On for workspace accounts. SSO lets users log into Notion using your company identity provider instead of a separate password. This article explains the prerequisites, the configuration steps for both SAML 2.0 and OIDC providers, and common setup mistakes to avoid.
Key Takeaways: Notion SSO Setup for Enterprise Workspaces
- Settings & Members > Settings > Security & SSO: The starting point for configuring SSO in a Notion workspace.
- SAML 2.0 or OIDC provider: You must have an identity provider like Okta, Azure AD, or Google Workspace before starting.
- SCIM provisioning: After SSO is active, enable SCIM to automatically add and remove users from your workspace.
What Is Notion SSO and What Do You Need Before Setup
Single Sign-On lets users authenticate through your company identity provider. Notion supports SAML 2.0 and OIDC protocols. When SSO is enabled, users are redirected to your IdP login page and cannot sign in with a password directly. Only workspace owners on the Enterprise plan can configure SSO. You need a Business or Enterprise subscription and an identity provider that supports SAML 2.0 or OIDC. Notion also supports Just-in-Time provisioning, which creates new workspace members automatically when they authenticate for the first time.
Before you begin, confirm that your identity provider has the Notion app or custom SAML application configured. You will need the following from your IdP: the SAML SSO URL, the entity ID or issuer URL, and the X.509 certificate for signing assertions. For OIDC, you need the client ID, client secret, and the well-known configuration endpoint. Notion also requires that you map the email attribute from your IdP to the Notion user email field.
Steps to Configure SAML 2.0 SSO in Notion
- Open workspace settings
Go to Settings & Members in the left sidebar. Then select Settings from the top menu and click the Security & SSO tab. - Choose SSO provider
Click the Configure SSO button. Select SAML 2.0 from the dropdown list. - Enter IdP details
Paste the SAML SSO URL, entity ID, and the X.509 certificate from your identity provider into the corresponding fields in Notion. - Set attribute mapping
Notion expects the email attribute from your IdP. If your IdP uses a different claim name, enter the correct attribute name in the Email Attribute field. - Enable Just-in-Time provisioning (optional)
Toggle the option to automatically create workspace members when they authenticate for the first time. This is recommended for new teams. - Test the configuration
Click the Test SSO Connection button. Notion will attempt to authenticate using your IdP. If the test fails, check the error message for missing fields or incorrect certificate data. - Save and enforce SSO
After a successful test, click Save. Optionally, you can toggle Enforce SSO to prevent password-based login for all members.
Steps to Configure OIDC SSO in Notion
- Open Security & SSO settings
Navigate to Settings & Members > Settings > Security & SSO. - Select OIDC provider
Click Configure SSO and choose OpenID Connect from the dropdown. - Enter OIDC details
Paste the Client ID, Client Secret, and the well-known configuration URL from your identity provider. Notion will automatically fetch the authorization endpoint, token endpoint, and userinfo endpoint. - Map email attribute
Enter the claim name that contains the user email, typically email or upn. - Test and save
Click Test SSO Connection. After a successful test, click Save. Enforce SSO if needed.
Common SSO Setup Mistakes and How to Avoid Them
Users Cannot Log In After SSO Is Enforced
This usually happens when the email attribute in your IdP does not match the email already stored in Notion. Verify that the attribute sent by your IdP matches the primary email of each workspace member. If you use Just-in-Time provisioning, the email must be identical to the one in your directory.
SSO Test Fails with Certificate Error
The X.509 certificate must be in PEM format and include the BEGIN CERTIFICATE and END CERTIFICATE lines. Copy the entire certificate block from your IdP. Some IdPs provide the certificate in base64 format without header lines; add the PEM headers manually.
SCIM Provisioning Does Not Sync User Groups
SSO alone does not sync group membership. You must enable SCIM separately in Notion and configure the SCIM endpoint in your IdP. SCIM requires a separate bearer token generated in Notion under Security & SSO > SCIM. After SCIM is active, group membership is synced automatically.
Users See a Blank Page After IdP Login
This indicates a redirect URI mismatch. In your IdP, set the redirect URI to https://www.notion.so/sso/saml or https://www.notion.so/sso/oidc depending on the protocol. For OIDC, the redirect URI must match exactly what is configured in your IdP application.
Notion SSO Protocols: SAML 2.0 vs OIDC Compared
| Item | SAML 2.0 | OIDC |
|---|---|---|
| Protocol type | XML-based assertion | JSON-based token |
| IdP requirements | SSO URL, entity ID, X.509 certificate | Client ID, client secret, well-known URL |
| Session management | IdP-initiated logout supported | RP-initiated logout via end session endpoint |
| Just-in-Time provisioning | Supported | Supported |
| SCIM compatibility | Works with SCIM v2 | Works with SCIM v2 |
| Best for | Enterprise IdPs like Okta, Azure AD | Cloud-native IdPs like Google Workspace |
After SSO is active, you can enable SCIM provisioning under Security & SSO > SCIM. SCIM automates user onboarding and offboarding. You can also set a session timeout duration under the same settings page. Test the full flow by having a new user sign in from a private browser window. If the user is created automatically and can access the workspace, the setup is complete.