Single Sign-On (SSO)
Enable enterprise Single Sign-On for your organization using SAML 2.0 identity providers.
Supported Identity Providers
Propper supports SAML 2.0 SSO with the following identity providers:
| Provider | Guide |
|---|---|
| Microsoft Entra ID (Azure AD) | Setup Guide |
| Google Workspace | Setup Guide |
| Custom SAML 2.0 | Setup Guide |
Any SAML 2.0 compliant identity provider can be configured using the Custom SAML guide.
How SSO Works
Prerequisites
Before configuring SSO, ensure you have:
- Organization Admin Access - You must be an organization administrator in Propper
- Identity Provider Admin Access - You need admin access to your IdP (Azure AD, Google Workspace, etc.)
- Verified Domain - Your email domain must be verified in Propper before enforcing SSO
Propper Service Provider Metadata
When configuring your identity provider, use these Propper SP values:
| Field | Value |
|---|---|
| SP Entity ID | urn:propper:sp:auth |
| ACS URL | https://auth.propper.ai/saml/acs |
| SLO URL | https://auth.propper.ai/saml/slo |
| NameID Format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
You can also download the SP metadata XML from your Propper SSO settings page.
Required Attributes
Your identity provider must send the following attributes in the SAML assertion:
| Attribute | Description | Required |
|---|---|---|
email | User's email address (used as NameID) | Yes |
firstName | User's first name | Yes |
lastName | User's last name | Yes |
groups | User's group memberships | No |
The groups attribute is optional but enables automatic role assignment based on IdP group membership.
Features
Just-In-Time (JIT) Provisioning
When enabled, users are automatically created in Propper on their first SSO login. You can configure:
- Default Role - The role assigned to new users
- Allowed Domains - Restrict JIT to specific email domains
- Group-to-Role Mapping - Map IdP groups to Propper roles
SSO Enforcement
After configuring SSO, you can enforce it for your organization:
- Optional - Users can log in with SSO or password
- Required - Users must use SSO (password login disabled)
Before enabling SSO enforcement, ensure at least one admin account is listed in the bypass list to prevent lockout.
Domain Verification
To enforce SSO for a domain, you must first verify ownership:
- Add your domain in Propper SSO settings
- Add the provided DNS TXT record to your domain
- Verify the domain in Propper
- Enable SSO enforcement for the domain
Next Steps
Choose your identity provider to get started: