To use SAML single sign-on (SSO) for authentication to DX, you must configure both your external SAML identity provider (IdP) and your DX workspace.

In a SAML configuration, DX functions as a SAML service provider (SP). You can find the SAML implementation details for your IdP in the IdP's documentation.

Microsoft Active Directory Federation Services (AD FS) <a href="https://docs.microsoft.com/windows-server/identity/active-directory-federation-services" rel="nofollow noopener noreferrer" target="_blank">SAML</a>

Microsoft Entra ID (previously known as Azure AD) <a href="https://docs.microsoft.com/azure/active-directory/active-directory-saas-github-tutorial" rel="nofollow noopener noreferrer" target="_blank">SAML</a>

Okta <a href="https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Github-com.html" rel="nofollow noopener noreferrer" target="_blank">SAML</a>

OneLogin <a href="https://onelogin.service-now.com/support?id=kb_article&amp;sys_id=2929ddcfdbdc5700d5505eea4b9619c6" rel="nofollow noopener noreferrer" target="_blank">SAML</a>

PingOne <a href="https://support.pingidentity.com/s/marketplace-integration/a7i1W0000004ID3QAM/github-connector" rel="nofollow noopener noreferrer" target="_blank">SAML</a>

Shibboleth <a href="https://shibboleth.atlassian.net/wiki/spaces/IDP4/overview" rel="nofollow noopener noreferrer" target="_blank">SAML</a>

- Microsoft Active Directory Federation Services (AD FS) <a href="https://docs.microsoft.com/windows-server/identity/active-directory-federation-services" rel="nofollow noopener noreferrer" target="_blank">SAML</a>
- Microsoft Entra ID (previously known as Azure AD) <a href="https://docs.microsoft.com/azure/active-directory/active-directory-saas-github-tutorial" rel="nofollow noopener noreferrer" target="_blank">SAML</a>
- Okta <a href="https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Github-com.html" rel="nofollow noopener noreferrer" target="_blank">SAML</a>
- OneLogin <a href="https://onelogin.service-now.com/support?id=kb_article&amp;sys_id=2929ddcfdbdc5700d5505eea4b9619c6" rel="nofollow noopener noreferrer" target="_blank">SAML</a>
- PingOne <a href="https://support.pingidentity.com/s/marketplace-integration/a7i1W0000004ID3QAM/github-connector" rel="nofollow noopener noreferrer" target="_blank">SAML</a>
- Shibboleth <a href="https://shibboleth.atlassian.net/wiki/spaces/IDP4/overview" rel="nofollow noopener noreferrer" target="_blank">SAML</a>

To enable SAML SSO, configure the Single-sign on URL and Audience URI—which you can access in the <a href="https://app.getdx.com/admin/sso" rel="nofollow noopener noreferrer" target="_blank">SAML SSO settings page</a>—in your IdP, then enter the metadata URI from your IdP in DX.

Below is a detailed description of these three values:

The <code>nameID</code> should be an <code>emailAddress</code> (<code>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</code>) and must contain an email address that matches what is in DX. If you need an email address to match based solely on the part of the email preceding <code>@</code> with a set of allowlisted domains, please contact DX support.

You can enable SAML SSO in your organization without requiring all members to use it. Enabling but not requiring SAML SSO in your organization can help smooth adoption. When SAML SSO is enforced, all other methods of authentication (e.g., passwordless email, Slack OpenID) are disabled.

Value	Other names	Description	Example
ACS URL	Single-sign on URL	The the location an Identity Provider redirects its authentication response to.	`https://app.getdx.com/saml/acs/alazsZt7oh8xRbqK3nx0iwn5Xo41Lm`
SP Entity ID	Audience URI, SP URL, audience restriction	Used to identify the issuer of a SAML request and the audience of a SAML response	`https://app.getdx.com/saml/sp/GvlKAGFgllQ14qP6amC1Duf6JOxr1T`
Metadata URI	IdP Metadata URI	URL where IdP publishes SAML metadata	`https://app.onelogin.com/saml/metadata/a592596a-cfdb-3758-88d7-80b36a817128`

Enabling SAML SSO

NameID

Requiring SAML SSO