Authentication

Enterprise SSO (SAML)

Overview

Enterprise SSO lets your team sign in to the LevelFour dashboard with your organization's identity provider (IdP) over SAML 2.0, instead of individual email or social logins. Once enabled, anyone with an email address on your verified domain is routed to your IdP to authenticate.

SSO is an enterprise feature. To enable it, contact your LevelFour representative or email support@levelfour.ai with your identity provider and the email domain(s) your team uses.

Supported identity providers

  • Google Workspace
  • Microsoft Entra ID (formerly Azure AD)
  • Okta
  • Any SAML 2.0 compatible identity provider

How it works

SAML SSO is a one-time setup that exchanges configuration between LevelFour (the service provider) and your identity provider:

  1. You tell us your IdP and email domain.
  2. We create a connection for your domain and send you two values: an ACS URL and an Entity ID.
  3. You create a SAML application in your IdP using those values and map a few user attributes.
  4. You send us your IdP metadata.
  5. We activate the connection and test it with you.

Sign-ins are routed by email domain, so your existing logins keep working until the connection is activated.

What you provide and receive

You receive from LevelFour:

  • ACS URL (Assertion Consumer Service URL)
  • Entity ID (service provider identifier)

You send back to LevelFour:

  • Your IdP SSO URL
  • Your IdP Entity ID
  • Your X.509 signing certificate, or the full IdP metadata XML
Your ACS URL and Entity ID are unique to your organization and are shared with you privately during setup. They are not published here.

Required attribute mapping

Your IdP must send these attributes in the SAML assertion. The app attribute names must match exactly:

User attributeApp attribute nameRequired
Email addressmailYes
First namefirstNameNo
Last namelastNameNo

Set the Name ID to the user's primary email, with the Name ID format set to EMAIL.

Set up Google Workspace

These steps use Google Workspace as an example. Microsoft Entra ID and Okta follow the same pattern on provider-specific screens.

  1. In the Google Admin console, go to Apps > Web and mobile apps.
  2. Click Add app > Add custom SAML app.
  3. Enter an app name (for example, "LevelFour") and click Continue.
  4. On the Google Identity Provider details page, download the IdP metadata, or copy the SSO URL and Entity ID and download the Certificate. You will send these to us. Click Continue.
  5. In Service Provider Details, enter the ACS URL and Entity ID we sent you. Click Continue.
  6. Set the Name ID format to EMAIL and the Name ID to Basic Information > Primary email.
  7. Under Attributes, click Add mapping and map each Google directory field to its app attribute name:
    • Basic Information > Primary email to mail
    • Basic Information > First name to firstName
    • Basic Information > Last name to lastName
  8. Click Finish.
  9. Open the app, go to User access, select On for everyone, and click Save.
  10. Send us the IdP metadata (or the SSO URL, Entity ID, and certificate) you saved in step 4.

Once we receive your IdP details, we load them into your connection, test a sign-in with one user on your domain, then activate SSO for the whole domain.

Other identity providers

The flow is identical for other providers. Create a SAML application in your IdP using the ACS URL and Entity ID we send you, apply the same attribute mapping above, and return your IdP metadata.

Send your IdP metadata and signing certificate to your LevelFour representative through a secure channel, not a public forum.

Security Best Practices

Previous Page

SDK Overview

Official LevelFour SDKs for Python, TypeScript, and Go.

On this page

OverviewSupported identity providersHow it worksWhat you provide and receiveRequired attribute mappingSet up Google WorkspaceOther identity providers