Zenovay
Scale Plan30 minutesadvanced

SAML 2.0 SSO Configuration

Set up SAML single sign-on for Zenovay - integrate with Okta, Microsoft Entra ID, OneLogin, Google Workspace, and other identity providers.

samlssoauthenticationoktaentra-id
Last updated: February 6, 2026
Scale Plan

Configure SAML 2.0 single sign-on to allow your team to access Zenovay using your organization's identity provider.

Supported Identity Providers

ProviderStatus
OktaFully Supported
Microsoft Entra ID (Azure AD)Fully Supported
OneLoginFully Supported
Google WorkspaceFully Supported
Ping IdentityFully Supported
ADFSFully Supported
Custom SAML 2.0Supported

Prerequisites

Before starting:

  • Scale or Enterprise plan activated
  • Admin access to your identity provider
  • Owner or Admin access to Zenovay
  • Your organization's email domain verified

Zenovay SAML Information

Service Provider Details

You will need these values when configuring the SAML application in your identity provider:

SettingValue
SP Entity ID / Audience URIhttps://auth.zenovay.com
ACS URL (Assertion Consumer Service)https://auth.zenovay.com/api/sso/saml/callback
NameID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
BindingHTTP-POST

The SP Entity ID must be exactly https://auth.zenovay.com — do not add a trailing slash or path. The ACS URL must include the full path.

Getting Your Values

  1. Go to SettingsAuthenticationSSO
  2. Click Add SSO Provider
  3. Select SAML 2.0
  4. The Zenovay SP values are listed above — copy them into your IdP

Okta Configuration

Step 1: Create Okta Application

  1. Log in to Okta Admin Console
  2. Go to ApplicationsApplications
  3. Click Create App Integration
  4. Select SAML 2.0
  5. Click Next

Step 2: Configure SAML Settings

General Settings:

  • App name: Zenovay
  • App logo: Upload Zenovay logo (optional)

SAML Settings:

Okta FieldValue
Single sign-on URLhttps://auth.zenovay.com/api/sso/saml/callback
Audience URI (SP Entity ID)https://auth.zenovay.com
Name ID formatEmailAddress
Application usernameEmail

Step 3: Attribute Statements

Add these attribute mappings:

NameValue
emailuser.email
firstNameuser.firstName
lastNameuser.lastName

Step 4: Get IdP Values

  1. Go to the Sign On tab
  2. Click View SAML setup instructions or Identity Provider metadata
  3. Note the following:
    • IdP Entity ID (Issuer)
    • IdP SSO URL (Login URL)
  4. Download the X.509 Certificate

Step 5: Complete in Zenovay

  1. Go to SettingsAuthenticationSSO
  2. Click Add SSO Provider and select SAML 2.0
  3. Enter:
    • Name: e.g., "Okta"
    • Entity ID: the IdP Entity ID from Step 4
    • SSO URL: the IdP SSO URL from Step 4
    • Certificate: paste the full X.509 certificate
  4. Click Save
  5. Add and verify your email domain
  6. Test the connection

Microsoft Entra ID Configuration

Step 1: Create Enterprise Application

  1. Sign in to the Microsoft Entra admin center
  2. Go to IdentityApplicationsEnterprise applications
  3. Click New application
  4. Click Create your own application
  5. Name: Zenovay
  6. Select Integrate any other application you don't find in the gallery

Step 2: Set Up Single Sign-On

  1. Click Single sign-on in the sidebar
  2. Select SAML
  3. Edit Basic SAML Configuration:
Entra ID FieldValue
Identifier (Entity ID)https://auth.zenovay.com
Reply URL (ACS URL)https://auth.zenovay.com/api/sso/saml/callback

Step 3: Configure Attributes

Edit Attributes & Claims:

Claim NameSource Attribute
emailaddressuser.mail
givennameuser.givenname
surnameuser.surname

Ensure the NameID claim format is set to Email address.

Step 4: Download Certificate and Get IdP Values

  1. Scroll to SAML Signing Certificate and download Certificate (Base64)
  2. In the Set up Zenovay section, copy:
    • Microsoft Entra Identifier — this is your IdP Entity ID
    • Login URL — this is your SSO URL

Step 5: Assign Users

  1. Go to Users and groups
  2. Add users or groups
  3. Save assignments

Step 6: Complete in Zenovay

  1. Go to SettingsAuthenticationSSO
  2. Click Add SSO Provider and select SAML 2.0
  3. Enter:
    • Name: e.g., "Microsoft Entra ID"
    • Entity ID: the Microsoft Entra Identifier from Step 4
    • SSO URL: the Login URL from Step 4
    • Certificate: paste the contents of the downloaded Base64 certificate
  4. Click Save
  5. Add and verify your email domain
  6. Test the connection

Google Workspace Configuration

Step 1: Add Custom SAML App

  1. Go to Google Admin Console
  2. Go to AppsWeb and mobile apps
  3. Click Add AppAdd custom SAML app

Step 2: Enter Details

App details:

  • App name: Zenovay
  • Description: Analytics platform
  • App icon: Upload (optional)

Step 3: Download IdP Metadata

  1. Copy or download the SSO URL and Entity ID
  2. Download the Certificate
  3. Click Continue

Step 4: Service Provider Details

Google Admin FieldValue
ACS URLhttps://auth.zenovay.com/api/sso/saml/callback
Entity IDhttps://auth.zenovay.com
Name ID formatEMAIL
Name IDBasic Information > Primary email

Step 5: Attribute Mapping

Google DirectoryApp Attribute
Primary emailemail
First namefirstName
Last namelastName

Step 6: Enable for Users

  1. Click on the app
  2. Go to User access section
  3. Turn ON for your organization or specific organizational units

Changes may take up to 24 hours to propagate in Google Workspace.

Step 7: Complete in Zenovay

  1. Go to SettingsAuthenticationSSO
  2. Click Add SSO Provider and select SAML 2.0
  3. Enter the IdP Entity ID, SSO URL, and Certificate from Step 3
  4. Click Save
  5. Add and verify your email domain
  6. Test the connection

OneLogin Configuration

Step 1: Add Application

  1. Go to OneLogin Admin
  2. Go to ApplicationsAdd App
  3. Search SAML Custom Connector (Advanced)
  4. Add

Step 2: Configuration Tab

OneLogin FieldValue
Audience (EntityID)https://auth.zenovay.com
Recipienthttps://auth.zenovay.com/api/sso/saml/callback
ACS (Consumer) URLhttps://auth.zenovay.com/api/sso/saml/callback

Step 3: Parameters

Add parameters:

FieldValue
emailEmail
firstNameFirst Name
lastNameLast Name

Step 4: SSO Tab

Note the following values:

  • SAML 2.0 Endpoint (HTTP)
  • Issuer URL
  • Download the X.509 Certificate

Step 5: Complete in Zenovay

  1. Go to SettingsAuthenticationSSO
  2. Click Add SSO Provider and select SAML 2.0
  3. Enter the IdP values from Step 4
  4. Click Save
  5. Add and verify your email domain

Completing Setup in Zenovay

Add SSO Provider

  1. Go to SettingsAuthenticationSSO
  2. Click Add SSO Provider
  3. Select SAML 2.0
  4. Enter the following values from your identity provider:
FieldDescription
NameA friendly name for this provider (e.g., "Corporate Okta")
Entity IDThe IdP Entity ID / Issuer from your identity provider
SSO URLThe IdP Login URL / SSO Endpoint
CertificateThe X.509 signing certificate (paste full PEM including BEGIN/END lines)
  1. Click Save

Verify Domain

After saving, add and verify your email domain:

  1. Click Add Domain
  2. Enter your email domain (e.g., company.com)
  3. Follow the DNS verification steps
  4. Once verified, users with that domain will be directed to SSO

Test Connection

  1. Open an incognito/private browser window
  2. Go to auth.zenovay.com
  3. Enter an email from your verified domain
  4. Authenticate with your IdP
  5. Verify successful return to the Zenovay dashboard

Enable SSO

After successful test:

  1. Toggle Enforce SSO to on
  2. Choose enforcement level:
    • Optional: users can choose SSO or password login
    • Required: all users must use SSO
  3. Save

Before enforcing SSO, ensure at least one Owner account can still sign in via email/password as a backup in case of an IdP outage.

User Provisioning

Just-In-Time (JIT) Provisioning

New users are automatically created on first SSO login:

  • Automatic account creation
  • Default role assigned (Viewer)
  • No invitation needed

Troubleshooting

Common Issues

IssueSolution
"Signature verification failed"Re-download the IdP certificate and update it in Zenovay
"Digest mismatch"Ensure the correct signing certificate is configured
"User not found"The user's email must match the verified domain
"ACS URL mismatch"Ensure ACS URL is exactly https://auth.zenovay.com/api/sso/saml/callback
"Entity ID mismatch"Ensure Entity ID is exactly https://auth.zenovay.com
"NameID not found"Set NameID format to EmailAddress in your IdP

Certificate Expiration

IdP certificates expire — plan ahead:

  1. Monitor expiration dates in your IdP
  2. Download the new certificate before expiration
  3. Edit the SSO provider in Zenovay and replace the certificate
  4. Test the connection with the new certificate

Security Best Practices

Certificate Management

  • Monitor expiration dates
  • Use SHA-256 signing
  • Update certificates before they expire

Attribute Security

  • Only request needed attributes
  • Verify attribute mappings
  • Monitor for changes

Access Control

  • Assign specific users/groups in your IdP
  • Review access regularly
  • Use conditional access policies

Next Steps

Related articles

Agency Dashboard Setup

Set up Zenovay for agencies - manage multiple clients, white-label dashboards, and aggregate reporting.

Custom Branding & White-Label

White-label Zenovay with your brand - custom domains, logos, colors, and complete brand removal.

Custom Password Policies

Configure custom password requirements for your Zenovay organization - complexity rules, expiration, and history.

Was this article helpful?