Enterprise organizations can use SAML to connect with their identity provider, such as Okta or Microsoft Entra ID.
SAML SSO allows organizations to integrate Pivot with their identity provider (IdP), enabling members to log in with their company credentials. This simplifies authentication, improves security, and ensures centralized access management.
Admins can configure SAML in the Domains and Security settings by entering IdP details and verifying the connection. Once SSO is enabled, all members must log in through SSO unless otherwise specified.
Enterprise organizations can use SAML to connect with their identity provider, such as Okta or Microsoft Entra ID.
Pivot supports two SAML sign-on flows:
SP-initiated (Service Provider initiated): The user starts from Pivot’s login page, enters their email, and is redirected to their IdP to authenticate. This is the default flow and requires no additional configuration beyond the basic SAML setup.
IDP-initiated (Identity Provider initiated): The user starts from their IdP portal (e.g., Microsoft My Apps or the Okta dashboard) and clicks the Pivot app tile. The IdP sends a SAML response directly to Pivot, and the user is logged in without visiting Pivot’s login page first.
To enable IDP-initiated SSO, you need to configure your IdP with the IDP-initiated SSO URL. You can find this URL in Pivot’s domain settings after enabling SAML for a domain.
Metadata URL: The URL provided by your IdP that contains the SAML metadata.
Signing Certificate: The signing certificate used by the IdP to sign SAML assertions.
Entity ID: The unique identifier for your service in the SAML configuration.
Log in to Pivot and navigate to your organization’s Domains and Security settings.
Click the settings icon next to the domain you want to configure SAML for.
Check Enable SAML to reveal the SAML configuration fields.
Enter the SAML Metadata URL provided by your IdP.
Example: https://idp.example.com/metadata.xml
Paste the IdP’s signing certificate into the Signing Certificate field.
Ensure the certificate begins with
-----BEGIN CERTIFICATE----- and ends with
-----END CERTIFICATE-----.
Enter the Entity ID that uniquely identifies your SAML
service.
Example: https://pivot.app
Optionally check Require SAML to enforce SSO for all users with email addresses on this domain.
Optionally check Enable just-in-time (JIT) provisioning to automatically create Pivot accounts for users who sign in via SAML for the first time.
After enabling SAML, the SAML Reply URL (ACS) is displayed at the bottom of the SAML settings. This URL is used as the Reply URL / ACS URL in your IdP configuration for both SP-initiated and IDP-initiated sign-on.
Click the copy button to copy the URL. You will paste this into your IdP’s configuration (see the IdP-specific instructions below).
Click Save changes to apply the configuration.
Test the configuration by logging in through your Identity Provider.
If you configured IDP-initiated SSO, also test by clicking the Pivot app tile in your IdP portal.
In the Azure portal, go to Enterprise Applications > New application.
Select Create your own application, give it a name (e.g., “Pivot”), and select
Integrate any other application you don’t find in the gallery (Non-gallery)
.
After creating the application, go to Manage > Single sign-on and select SAML.
Identifier (Entity ID): Enter your Entity ID.
Example: If the application ID is
3f218b53-d33c-4dbe-ada7-51a0db5ba71e
, use spn:3f218b53-d33c-4dbe-ada7-51a0db5ba71e. Or use
a custom value like https://pivot.app.
Reply URL (Assertion Consumer Service URL): Paste the SAML Reply URL (ACS) from Pivot’s domain settings (e.g.,
). This single URL is used for both SP-initiated and IDP-initiated sign-on.
Sign on URL: Leave this field empty. If a Sign on URL is set, clicking the app tile in My Apps will redirect to that URL instead of performing IDP-initiated sign-on.
Relay State: Leave empty.
Ensure the following attributes are included in the SAML response:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
— mapped to user.givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
— mapped to user.surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
— mapped to user.mail or
user.userprincipalname
Under SAML Certificates, download the certificate in Base64 format.
Open the downloaded file and paste its contents into the Signing Certificate field in Pivot’s domain settings.
SAML Metadata URL: Copy the App Federation Metadata Url from the SAML Certificates section and paste it into Pivot’s SAML Metadata URL field.
Entity ID: Enter the same Entity ID you configured in Azure.
In the Okta Admin Console, go to Applications > Create App Integration.
Select SAML 2.0 and click Next.
Give the application a name (e.g., “Pivot”) and click Next.
Single sign-on URL: Paste the SAML Reply URL (ACS) from Pivot’s domain settings (e.g.,
). This single URL is used for both SP-initiated and IDP-initiated sign-on.
Check Use this for Recipient URL and Destination URL.
Audience URI (SP Entity ID): Enter your Entity ID (e.g.,
https://pivot.app).
Add the following attribute mappings:
SAML Metadata URL: After creating the app, go to the Sign On tab and copy the Metadata URL from the SAML 2.0 section. Paste it into Pivot’s SAML Metadata URL field.
Entity ID: Enter the same Audience URI you configured in Okta.
Signing Certificate: Download the certificate from Okta’s SAML Signing Certificates section and paste its contents into Pivot’s Signing Certificate field.
In the Google Admin Console, go to
Apps > Web and mobile apps > Add app > Add custom SAML app
.
Enter a name for the application (e.g., “Pivot”) and click Continue.
On the Google Identity Provider details step, download the Certificate and copy the SSO URL and Entity ID. Click Continue.
ACS URL: Paste the SAML Reply URL (ACS) from Pivot’s domain settings (e.g.,
). This single URL handles both SP-initiated and IDP-initiated sign-on.
Entity ID: Enter your Entity ID (e.g.,
https://pivot.app).
Start URL: Leave empty. When empty, clicking the app tile in Google Workspace performs IDP-initiated sign-on directly.
Signed response: Check this box.
Click Continue.
Add the following attribute mappings:
Click Finish.
After creating the app, click the app name, then go to User access. Turn the service ON for everyone (or for specific organizational units).
SAML Metadata URL: Use the SSO URL from the Google Identity Provider details step (copied during app creation). Paste it into Pivot’s SAML Metadata URL field.
Entity ID: Enter the same Entity ID you configured in Google Workspace.
Signing Certificate: Open the certificate downloaded during app creation and paste its contents into Pivot’s Signing Certificate field.
Was this guide helpful?