Skip to main content
Krea Enterprise Only — SAML SSO is available exclusively for Krea Enterprise customers. Contact our sales team to learn more about Enterprise plans.
This guide walks you through configuring SAML Single Sign-On (SSO) for your Krea workspace. Once configured, users with email addresses from your verified domain can log in using your organization’s identity provider (IdP).

Prerequisites

Before you begin, ensure you have:

Verified Domain

Complete Domain Verification first

Workspace Role

You must be a workspace owner or admin

Identity Provider Access

Admin access to your IdP (Okta, Google Workspace, etc.)

Enterprise Plan

Active Krea Enterprise subscription

Step 1: Get Krea’s Service Provider Details

After completing domain verification, the setup modal will display the SAML configuration section. SAML configuration modal You’ll need these two values to configure your identity provider:
FieldValue
ACS URLhttps://superb.krea.ai/auth/v1/sso/saml/acs
Entity IDhttps://superb.krea.ai/auth/v1/sso/saml/metadata
Metadata XMLhttps://superb.krea.ai/auth/v1/sso/saml/metadata
Click the copy icon next to each URL in the modal to copy them exactly.

Step 2: Configure Your Identity Provider

Create a SAML application in your identity provider using the values from Step 1.
1

Access Applications

Log in to your Okta Admin Console (typically https://your-org.okta.com/admin) and go to ApplicationsApplications in the sidebar.
2

Create App Integration

Click Create App Integration.Select SAML 2.0 as the sign-in method and click Next.
3

Configure General Settings

Enter Krea as the App name.Optionally upload a logo for easy identification.Click Next.
4

Configure SAML Settings

Enter the following values:
FieldValue
Single sign-on URLhttps://superb.krea.ai/auth/v1/sso/saml/acs
Audience URI (SP Entity ID)https://superb.krea.ai/auth/v1/sso/saml/metadata
Name ID formatEmailAddress
Application usernameEmail
5

Complete Setup

Click Next.On the Feedback page, select “I’m an Okta customer adding an internal app” and click Finish.
6

Get Metadata URL

On the application page, go to the Sign On tab.Scroll down to SAML Signing Certificates and find the Metadata URL. Click ActionsView IdP metadata to get the URL.
7

Assign Users

Go to the Assignments tab and assign the users or groups who should have access to Krea.
Reference: Okta Help - Create SAML App Integrations ↗

Step 3: Connect Your IdP to Krea

Back in the Krea modal, provide your IdP’s metadata:

Step 4: Test Your Configuration

1

Open Incognito Window

Use a fresh incognito/private browser window to avoid cached sessions.
2

Go to Krea Login

Navigate to krea.ai/login ↗
3

Click the SSO Button

On the login page, click the SSO button to initiate SAML authentication.
Krea does not automatically redirect based on your email domain. You must click the SSO button to use SAML authentication. Users can still log in with email and password if they have one set.
4

Enter Your Email

Type an email address from your verified domain (e.g., you@acme.com)
5

Authenticate with Your IdP

You should be redirected to your organization’s login page.
6

Confirm Access

After successful authentication, you’ll be logged into Krea.
Success! If you can log in, your SAML SSO is configured correctly. Invite your team members to use the SSO button with their work email to sign in.

Enforce SAML SSO

Once SSO is configured and tested, you can enforce it for all users with your verified domain. This ensures everyone in your organization authenticates through your identity provider. SSO Enforcement toggle in workspace settings
1

Go to Workspace Settings

Navigate to Workspace Settings ↗ and scroll to the Single Sign-On (SSO) section.
2

Locate SSO Enforcement

Find the SSO Enforcement toggle on the SSO card for your verified domain.
3

Enable the Toggle

Click the toggle to enable SSO enforcement.
4

Confirm

Review the confirmation dialog and confirm to enable enforcement.
When enforcement is enabled:
  • All users with your verified domain will be required to sign in through your identity provider
  • Password and magic link login will be disabled for these users
  • Current sessions will continue until the user’s next login, at which point they must use SSO

Disabling Enforcement

If you need to disable SSO enforcement:
  1. Go to Workspace Settings ↗
  2. In the Single Sign-On (SSO) section, find the Enforce SSO toggle
  3. Click the toggle to disable enforcement
  4. Users will regain the ability to log in with password or magic link
Disabling enforcement does not disable SSO itself—users can still choose to log in via SSO using the SSO button on the login page.

Troubleshooting

  • Check URLs — Ensure ACS URL and Entity ID are exactly as shown (no trailing slashes)
  • Verify metadata access — If using a URL, make sure it’s publicly accessible
  • Try XML instead — If the URL doesn’t work, download and paste the XML directly
  • Check certificate expiry — Expired IdP certificates will cause configuration to fail
  • Click SSO button — Users must click the SSO button on the login page (not just enter their email)
  • Assign users in IdP — Users must be assigned to the Krea SAML app in your IdP
  • Check Name ID — Verify Name ID is set to email/EmailAddress format in your IdP
  • Verify email domain — User emails must match the verified domain exactly
  • Check user provisioning — Users may need to be invited to the Krea workspace first
  • Clock skew — Ensure your IdP server’s clock is accurate (within 5 minutes of actual time)
  • Assertion conditions — Check that the SAML assertion’s NotBefore/NotOnOrAfter conditions are valid
  • Signature issues — Verify the correct certificate is being used
  • Clear cookies — Clear all Krea-related cookies and try again
  • Check ACS URL — Ensure there are no typos in the ACS URL configured in your IdP
  • Verify domain — Confirm the domain verification is still active

Managing SSO

Viewing SSO Status

  1. Go to Workspace Settings ↗
  2. Scroll to the Domain Management section
  3. The SSO card shows:
    • Enabled status with a green indicator
    • Your verified domain
    • Configure button to modify settings

Updating IdP Metadata

If you need to update your IdP metadata (e.g., after certificate rotation):
  1. Go to Workspace Settings ↗
  2. In the Domain Management section, click Configure on the SSO card
  3. Update the metadata URL or XML
  4. Click Save changes

Disabling SSO

Disabling SSO will require all users to log in with email and password. Make sure users have passwords set before disabling.
  1. Go to Workspace Settings ↗
  2. In the Domain Management section, click Configure on the SSO card
  3. Click Disable SSO at the bottom of the modal
  4. Confirm the action

Need Help?

Enterprise Support

Contact our enterprise support team at support@krea.ai

Sales Team

Questions about Enterprise plans? Email sales@krea.ai