SSO & SAML

Enterprise teams can configure SAML 2.0 single sign-on so team members authenticate through your identity provider (IdP). This ensures centralized access control and eliminates separate passwords.

Enterprise feature

SSO/SAML is available on the Enterprise plan. Contact sales@dynalab.ai to upgrade.

How It Works

DynaLab.ai acts as a SAML Service Provider (SP). Your identity provider (Okta, Azure AD, OneLogin, Google Workspace, etc.) acts as the Identity Provider (IdP). When a team member signs in:

  1. User navigates to your team's SSO login URL
  2. DynaLab.ai redirects to your IdP's login page
  3. User authenticates with their corporate credentials
  4. IdP sends a SAML assertion back to DynaLab.ai
  5. User is signed in and connected to your team automatically

Configuration

Step 1: Get DynaLab.ai SP Details

Go to Team Hub > Settings > SSO to find your Service Provider details:

  • ACS URL (Assertion Consumer Service) — The URL where your IdP sends the SAML response
  • Entity ID — DynaLab.ai's unique identifier as a Service Provider
  • Metadata URL — XML metadata describing the SP configuration (some IdPs can import this directly)

Step 2: Configure Your IdP

In your identity provider, create a new SAML application and enter the SP details from Step 1. You'll need to configure:

  • ACS URL — Paste the ACS URL from DynaLab.ai
  • Entity ID / Audience — Paste the Entity ID
  • Name ID Format — Set to emailAddress
  • Attribute Statements — Map your IdP's user attributes (see table below)

Attribute Mapping

DynaLab.ai AttributeSAML AttributeRequired
emailNameID or email attributeYes
firstNameuser.firstName or givenNameRecommended
lastNameuser.lastName or surnameRecommended
displayNameuser.displayName or cnOptional

Step 3: Enter IdP Details in DynaLab.ai

Back in Team Hub > Settings > SSO, enter the details from your IdP:

  • IdP Metadata URL — If your IdP provides a metadata URL, paste it here. DynaLab.ai will automatically extract the SSO URL and certificate.
  • IdP SSO URL — The URL where DynaLab.ai redirects users to sign in (if not using metadata URL)
  • IdP Entity ID — Your IdP's unique identifier
  • Certificate — The X.509 signing certificate from your IdP (PEM format)

Testing Your SSO Connection

  1. After saving the configuration, click "Test SSO Connection"
  2. A new window opens and redirects to your IdP
  3. Sign in with a test account
  4. If successful, you'll see a confirmation message
  5. If it fails, check the error details and verify your configuration

Test before enforcing

Always test SSO with at least one account before enabling "Require SSO" for all team members. If SSO is misconfigured and enforced, team members may be locked out.

IdP-Specific Guides

Okta

  1. In Okta Admin, go to Applications > Create App Integration
  2. Select SAML 2.0
  3. Enter the ACS URL and Entity ID from DynaLab.ai
  4. Set Name ID format to EmailAddress
  5. Add attribute statements for firstName, lastName
  6. Complete the wizard and copy the IdP metadata URL
  7. Paste it into DynaLab.ai SSO settings

Azure AD (Entra ID)

  1. In Azure Portal, go to Enterprise Applications > New Application
  2. Select "Create your own application" > Non-gallery
  3. Go to Single sign-on > SAML
  4. Enter the Entity ID and ACS URL from DynaLab.ai
  5. Under User Attributes & Claims, verify email is mapped to NameID
  6. Download the Federation Metadata XML or copy the metadata URL
  7. Enter it in DynaLab.ai SSO settings

Google Workspace

  1. In Google Admin Console, go to Apps > Web and mobile apps
  2. Click "Add App" > "Add custom SAML app"
  3. Copy the SSO URL, Entity ID, and Certificate from Google
  4. Enter the ACS URL and Entity ID from DynaLab.ai
  5. Set Name ID format to EMAIL
  6. Add attribute mappings for firstName and lastName
  7. Save and enter Google's IdP details in DynaLab.ai

Troubleshooting

  • SAML assertion invalid — Check that the certificate in DynaLab.ai matches your IdP's current signing certificate. Certificates can rotate.
  • User not found — Ensure the NameID (email) in the SAML assertion matches the email format in DynaLab.ai.
  • Redirect loop — Verify the ACS URL is correct and the Entity ID matches exactly (case-sensitive).
  • Clock skew error — SAML assertions have a validity window. Ensure your IdP's server clock is synchronized (NTP).
  • Need help? — Contact support@dynalab.ai with your team ID and error details.
Previous
ATS Integrations
Next
Learning Features