SAML SSO Setup

Last updated: May 12, 2026

Prerequisites

To set up SSO on SpotDraft, you need:

  • A SpotDraft account with Admin access.

  • An account with your chosen Identity Provider (IdP) that supports SAML 2.0.

Setting up SAML 2.0 SSO on SpotDraft

Step 1:

Login to SpotDraft and navigate to the Settings → Security and Identity.

Step 2:

Select the SAML SSO card under the ‘Authentication’ tab.

Step 3:

Based on the IdP used, you can use either of the following options:

  • Copy the Sign-on URL and Audience URL present on the screen

  • Download the SP Metadata file from the IdP configuration section

These values will be used in subsequent steps.

Configuring your Identity Provider (IdP)

The configuration process may differ for IdPs. Here's a general outline:

  1. Log in to your IdP's admin portal.

  2. Set up a new SAML application using the following information:

    • Sign-On URL (generated in Step 3 above)

    • Audience URL (generated in Step 3 above)

    • Name ID Format (default value will be ‘EmailAddress’)

    • Application Username (default value will be ‘Email’)

Use these detailed setup documents for popular IdPs supported by SpotDraft:

👉🏻 Azure SSO

👉🏻 Okta

👉🏻 OneLogin

💡 If your IdP is not listed above, contact their Support team for the next steps.

Complete the configuration on SpotDraft

Based on the IdP used, you can use either of the following options:

  • Copy the Single Sign-on URL, Logout URL, IdP Entity Id and IdP Certificate values from the IdP and paste in the relevant fields on SpotDraft.

  • Download the Metadata file from your IdP and upload it to the ‘SP Configuration’ section

  • Click on Save and enable

Testing your SSO integration

Once SSO is configured, it's essential to test the integration to ensure everything is working as expected. Perform the following tests:

  1. For IdP-initiated login: Log in using SSO from your IdP dashboard.

  2. For SP-initiated login: Go to SpotDraft’s login page and click on ‘Sign In With SSO’ Enter your email address and click on ‘Sign In’.

FAQs

Q: What is the SSO URL?

A: The SSO URL is the Single Sign-On URL where the SAML assertion is sent by the IdP to authenticate the user.

Q: What is the SLO URL?

A: The SLO URL is the Single Logout URL where the SAML LogoutRequest is sent to initiate a user's single logout.

Q: Can OAuth and SAML work simultaneously?

A: Yes, it can. But you can also choose not to. Contact SpotDraft support to know more.

Q: Can we make a few users log in via SAML and a few users log in via username and password?

A: No, this is not possible.

Q: Can we connect more than one SAML SSO application?

A: No.

Q: Is there any SSO SAML provider that SpotDraft doesn't support?

A: SpotDraft supports most SAML 2.0 compliant IdPs. If you encounter issues with any providers listed in the document above, please contact SpotDraft support.

Q: How do users log in to SpotDraft using SAML SSO?

A: Users can log in to SpotDraft using SAML SSO by entering their email address in the login screen and leaving the password field empty. They will be redirected to sign in via their IdP.

Troubleshooting SSO Login Issues

If users encounter SSO login errors after configuration, verify the following:

User Provisioning

Ensure the user is provisioned correctly in your IdP. The email address under which the user is provisioned in your IdP must match their account email on SpotDraft.

Okta-Specific: Cluster ID Case Sensitivity

If using Okta, verify that the Cluster ID is set to lowercase (e.g., ‘us’ instead of ‘US’). To update this setting:

  1. Navigate to Okta > Sign-On tab > Advanced Sign-On Settings

  2. Set the Cluster ID to lowercase (e.g., ‘us’)

Google SSO-Specific: Cluster ID and Workspace ID Configuration

If using Google SSO and encountering an ‘app is not configured for user’ error after adding the metadata XML, verify that the cluster ID and workspace ID values are correctly configured in your SSO settings. Incorrect cluster ID or workspace ID values can cause authentication failures.

Note: After enabling SAML SSO, the username/password login option remains available by default. Users who created credentials before SSO was enabled can continue using them. To enforce SSO-only authentication, contact SpotDraft support to disable the username/password login option.

For IdP-initiated login: Log in using SSO from your IdP dashboard.

For SP-initiated login: Go to SpotDraft’s login page and click on ‘Sign In With SSO’ Enter your email address and click on ‘Sign In’.