How do I enable SAML SSO authentication?
With SAML 2.0-based single sign-on (SSO), your users can access MerciApp through the identity provider of your choice.
How single sign-on works
- When a member tries to log in to MerciApp via single sign-on, a SAML request is sent by MerciApp to the identity provider.
- The identity provider reviews the member's login information and sends a response to MerciApp to certify the user's identity.
- Once this verification is complete, MerciApp validates access, allowing the member to log in to their MerciApp account.
What happens after single sign-on is activated?
When single sign-on is first configured, existing MerciApp users will be able to continue accessing their accounts without interruption. However, the next time they log out, their session expires, or they attempt to log in from a new device, they will be redirected to the single sign-on process.
All other login options will be disabled for users, including email and password, Google, and LinkedIn login methods.
Single sign-on configuration
Identity providers
You can use the identity provider of your choice as long as it offers authentication via the SAML protocol. Here are some of the most frequently used ones:
- OKTA
- Microsoft Azure AD
- OneLogin
- Microsoft ADFS
- Auth0
- Google SSO
- JumpCloud SSO
General configuration (required)
- Go to your space settings in the "Settings" tab. Click on "Single sign-on (SSO)" to expand the configuration options. Leave this page open for later.
- Choose the most appropriate option below between automatic mode and manual mode.
- Create a new SAML application in your identity provider.
Automatic configuration
If your identity provider allows it, you can opt for automatic configuration.
After creating your new SAML application, a URL indicating the metadata is made available on your identity provider.
To use automatic configuration, enter the metadata URL provided by the identity provider, then click "Import metadata."
Once the metadata has been imported, download the MerciApp metadata at the bottom of the section and import it into your identity provider.
Go to the "Configure transmitted user attributes" section before confirming the creation of your new application.
Manual configuration
- Go to your identity provider's dashboard and follow the instructions provided to set up single sign-on.
- Enter the following metadata. We suggest leaving the optional fields blank and keeping the default values unchanged.
Parameter | Description |
|---|---|
Protocol | SAML 2.0 |
Binding | HTTP publication from the identity provider to the service provider via a POST request |
Service URL Also known as launch URL, response URL, trusted third-party single sign-on service URL, target URL, single sign-on login URL, identity provider endpoint, etc. | Enter the URL provided on MerciApp in the "acsUrl" field of the single sign-on settings. |
Assertion consumer service URL Also known as authorized callback URL, custom ACS URL, response URL. | Enter the URL provided on MerciApp in the "acsUrl" field of the single sign-on settings. |
Identity ID Also known as identifier, approval identifier. | merciapp |
Default relay state | Leave blank |
Signature requirements | An unsigned SAML response with a signed assertion |
NameID | |
Once these steps have been completed, validate the creation of your new application.
After creating the application, download the x.509 certificate issued by the identity provider.
- Enter the following information in your MerciApp settings.
Parameter | Description |
|---|---|
Identity provider ID (IdP Entity ID) | Provided by the identity provider during the configuration of the new application |
Identity provider single sign-on URL | This is usually the page your users will be redirected to when they try to log in |
x.509 public key certificate | Open the certificate downloaded in the previous step in a text editor and paste its entire contents into the field |
After entering this information, click "Save Configuration."
Go to the "Configure transmitted user attributes" section before confirming the creation of your new application.
Configuring transmitted user attributes (required)
This step must be performed on your new application with your identity provider. This tells them what information is expected about a user when they log in to their MerciApp space.
The attributes listed below are required.
Parameter | Description |
|---|---|
| User's first name |
| User's last name |
| User's email address |
Once these attributes have been entered, validate the creation of your new application with your identity provider.
Team configuration (optional)
It is possible to automatically link your company's users to teams within your MerciApp space. If users already exist on the MerciApp side, they will be linked to their team the next time they log in.
Parameter | Description |
|---|---|
| User's team |
How to enable single sign-on in your MerciApp space settings
Once your users have been notified, click the "Enable and close" button to confirm the integration of SAML SSO in your space.
Configuring single sign-on (SSO) with Okta
- Log in to your Okta administrator dashboard
- Click Applications
- Click Add Application
- Configure the general settings and click Next.
- Choose SAML 2.0 as the sign-in method and click Done.
Assign MerciApp to all users you want to add to your subscription by clicking on the gear icon next to MerciApp in the Applications menu.
To enable single sign-on in your MerciApp account, you will need to know three settings:
- Identity provider issuer
- Okta single sign-on URL
- x.509 certificate
To locate this information in your Okta dashboard, open MerciApp in the Applications list, go to the Login tab, and click View Setup Instructions.
On the page that opens, look for the Identity Provider Issuer, SAML 2.0 (HTTP) Endpoint, and Certificate.
Updated on: 11/02/2026
Thank you!