Skip to Content
SecurityIdentity & SSO

Identity & SSO

Slim.io supports SAML 2.0 Single Sign-On (SSO) to integrate with your organization’s identity provider. When SSO is configured, users authenticate through your IdP instead of managing separate Slim.io credentials.

Supported Identity Providers

ProviderProtocolStatus
Microsoft Entra ID (Azure AD)SAML 2.0Fully supported
OktaSAML 2.0Fully supported
Google WorkspaceSAML 2.0Fully supported
Custom SAMLSAML 2.0Any compliant IdP

SAML Configuration

Slim.io Service Provider (SP) Details

When configuring your IdP, use these SP values:

FieldValue
Entity IDhttps://slim.io/saml/metadata
ACS URLhttps://slim.io/saml/acs
SLO URLhttps://slim.io/saml/slo (optional)
NameID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Required SAML Attributes

Your IdP must release the following attributes in the SAML assertion:

AttributeRequiredDescription
emailYesUser’s email address (used as the primary identifier)
firstNameNoUser’s first name (for display)
lastNameNoUser’s last name (for display)
groupsNoGroup memberships (for role mapping)

Setup: Microsoft Entra ID

  1. In the Azure Portal, navigate to Enterprise Applications > New Application > Create your own application.
  2. Select Integrate any other application you don’t find in the gallery (Non-gallery).
  3. Name the application (e.g., “Slim.io”).
  4. Go to Single sign-on > SAML.
  5. Set the Identifier (Entity ID) to https://slim.io/saml/metadata.
  6. Set the Reply URL (ACS URL) to https://slim.io/saml/acs.
  7. Under Attributes & Claims, ensure email is mapped to user.mail.
  8. Download the Federation Metadata XML or copy the Login URL, Identifier, and Certificate values.
  9. In Slim.io, navigate to Settings > Identity > Add Connection.
  10. Select Entra ID and paste the metadata or individual values.
  11. Click Test Connection and complete the SAML flow.
  12. Click Activate.

Setup: Okta

  1. In the Okta Admin Console, navigate to Applications > Create App Integration.
  2. Select SAML 2.0.
  3. Enter the Single sign on URL: https://slim.io/saml/acs.
  4. Enter the Audience URI (SP Entity ID): https://slim.io/saml/metadata.
  5. Set Name ID format to EmailAddress.
  6. Add attribute statements for email, firstName, lastName.
  7. Complete the wizard and copy the Identity Provider metadata URL.
  8. In Slim.io, select Okta as the provider and enter the metadata URL.
  9. Test and activate.

Setup: Google Workspace

  1. In the Google Admin Console, navigate to Apps > Web and mobile apps > Add App > Add custom SAML app.
  2. Enter the ACS URL: https://slim.io/saml/acs.
  3. Enter the Entity ID: https://slim.io/saml/metadata.
  4. Set Name ID format to EMAIL.
  5. Map attributes: email to Primary Email.
  6. Download the IdP metadata.
  7. In Slim.io, select Google Workspace and upload the metadata.
  8. Test and activate.

Just-In-Time (JIT) Provisioning

When JIT provisioning is enabled:

  • Users who authenticate via SSO for the first time are automatically created in Slim.io
  • New users receive the Viewer role by default
  • Users are assigned to the Default workspace
  • Administrators can promote users and assign additional workspaces after first login

JIT provisioning eliminates the need to manually create user accounts before they can access Slim.io. It is enabled by default when SSO is activated.

Group-Based Role Mapping

If your IdP releases a groups attribute, you can map IdP groups to Slim.io roles:

IdP GroupSlim.io RoleWorkspace
slim-io-adminsAdminAll workspaces
slim-io-editorsEditorDefault workspace
slim-io-viewersViewerDefault workspace

Configure group mappings in Settings > Identity > Role Mapping.

Enforcing SSO

When SSO is activated with enforcement:

  • All users must authenticate through the configured IdP
  • Email/password login is disabled for non-admin accounts
  • At least one account retains email/password access as a recovery mechanism
  • API keys continue to work independently of SSO enforcement

Before enforcing SSO, verify that: (1) at least one admin has recovery access, (2) the IdP SAML configuration is tested and working, and (3) all active users have accounts in the IdP.

Troubleshooting

”SAML Response Invalid” Error

  • Verify the ACS URL matches exactly (including trailing slash)
  • Check that the IdP certificate has not expired
  • Ensure the NameID format is set to emailAddress

Users Cannot Log In After SSO Activation

  • Confirm the user’s email in the IdP matches their Slim.io account email
  • Check that the user is assigned to the SAML application in the IdP
  • Review the SAML assertion in browser developer tools for missing attributes
Last updated on
Encryption & TokenizationAudit Logging