Setup Single Sign-On (SSO) with SAML


SendSafely supports Single Sign On (SSO) using the SAML2 authentication standard. SSO support is included in all Enterprise plans. This article will walk you through the basics of how to set up and configure SSO for your SendSafely Enterprise Portal.


Step 1 - SAML Provider Configuration

Okta and OneLogin

SendSafely is listed in the application catalogs for both Okta and OneLogin. To set up SSO using these two providers, simply find SendSafely within the application directory and then you will be guided through the setup process. Once completed, proceed to step #2 below.

Other SAML Providers

The following configuration parameters can be used to configure SendSafely SSO with any product that uses SAML.

The [SENDSAFELY_URL] required below is the URL for your SendSafely Portal, and is typically in the format of or If you do not know your SendSafely portal URL you can contact

  • Domain and URLs:
    • Identifier: https://[SENDSAFELY_URL]/auth/saml2/
    • Reply URL: https://[SENDSAFELY_URL]/auth/saml2/
    • Sign-on URL: https://[SENDSAFELY_URL]/auth/saml2/
    • Relay State: https://[SENDSAFELY_URL]/auth/saml2/
  • User Attributes
    • User Identifier:
  • Signing Settings
    • Sign SAML response AND assertion

Note that we require the entire SAML response AND message to be signed and not just the assertions, which is a frequently overlooked configuration option.  

Step 2 - SendSafely Configuration

After everything is set up with your SAML provider, you'll need to enable SSO within SendSafely. You must have administrative privileges in your SendSafely portal in order to complete this step.

  • Sign into your SendSafely web portal and navigate to the Enterprise Console (Account Menu -> Enterprise Console)
  • Scroll down to the Authentication Providers section and Enable SAML Single Sign-on
  • Enter the public key certificate
  • Enter the Sign-in and Sign-Out URLs that will be used to redirect users


Once saved, you will see a  "Login using Single Sign-on" button on the portal login page:


Test the SSO login flow and confirm that you are able to authenticate successfully both from the SendSafely login page, and from the Identity Provider.  Once SSO is verified to be working, you may enforce SAML SSO login by submitting a request to to disable all other login mechanisms. For security and identity verification purposes, the request must be made by your organization’s SendSafely administrator and submitted as a SendSafely secure package from the administrator’s SendSafely account. (Administrators should log in to their SendSafely account, click the "Send" link, type a secure message with the request for disabling other login providers, and add as a recipient.)

For questions, please contact

Have more questions? Submit a request