Skip to main content

SAML Single Sign-On (SSO)

Linkinize supports SAML 2.0 SSO for company logins. Configuration is domain-based: when a user enters their email, Linkinize selects the SSO configuration by the email domain (for example, @company.com).

How it works

  • You (an org admin) verify ownership of your email domain in Linkinize.
  • You configure your IdP (Okta, Entra ID/Azure AD, Google Workspace, etc.) to send SAML assertions to Linkinize.
  • You provide your IdP metadata URL to Linkinize.
  • Users sign in via Company Account Login - SAML and authenticate with your IdP.

After a successful SAML login, Linkinize:

  • Creates the user if they do not exist yet
  • Adds them to your organization (if they are not already a member)
  • Optionally auto-joins them to selected workspaces

Important behavior:

  • If a user was manually deactivated in your organization, SAML login will not re-grant access automatically.

Prerequisites

  • Your organization has SAML support enabled on its plan.
  • You are an organization admin.
  • You have access to your IdP admin console.

Step 1: Verify your domain in Linkinize

In Linkinize:

  1. Open your Organization.
  2. Go to SAML Single Sign-On (SSO).
  3. Click Add Domain and enter your email domain (for example, company.com).
  4. Verify ownership using one of the supported methods:
    • DNS TXT record
    • TXT file at https://company.com/linkinize-domain-verification.txt

Step 2: Configure your IdP (service provider settings)

For each verified domain, Linkinize provides an Assertion Consumer Service (ACS) URL. This is where your IdP posts the SAML Response.

In the Linkinize domain configuration screen you will see:

  • Assertion Consumer Service (ACS): a URL like https://app.linkinize.com/sso/saml/acs/<domain_id>

Use these values in your IdP application:

  • ACS URL (a.k.a. Reply URL / Single sign-on URL): the Linkinize ACS URL for that domain
  • Entity ID (a.k.a. Audience URI / SP Entity ID): linkinize.com/<domain_id>
  • NameID format: email address (recommended)
  • Binding: HTTP-POST

If your IdP asks for SP metadata, Linkinize exposes it at:

https://app.linkinize.com/sso/saml/metadata/<domain_id>

Step 3: Add IdP metadata to Linkinize

In Linkinize -> domain Configure:

  1. Paste your IdP metadata URL (an XML metadata endpoint from your IdP).
  2. (Optional) Configure auto-join:
    • Select workspaces users should join after SAML login
    • Select the permission level assigned in those workspaces
  3. Save.

User login flow

  1. User goes to the Linkinize login page.
  2. Clicks Company Account Login - SAML.
  3. Enters their email (must match a verified configured domain).
  4. Linkinize redirects to your IdP.
  5. IdP authenticates the user and POSTs the SAML Response to the ACS URL.
  6. Linkinize logs the user in.

Attribute expectations

Your IdP must provide an email address so Linkinize can identify the user.

Recommended:

  • Email in NameID or a standard email attribute
  • First/last name attributes (optional)

If the SAML Response does not contain the required fields, Linkinize rejects the login.

Troubleshooting

  • "Company not found": the user email domain is not added+verified, or SAML metadata is not configured for that domain.
  • "SSO Login failed due to a misconfiguration": IdP metadata URL is invalid/unreachable, the IdP app is pointing at the wrong ACS URL, or the IdP is not signing/encrypting in a compatible way.
  • User can authenticate but still has no access: the user was deactivated at the organization level (SAML does not automatically re-activate deactivated memberships).