> ## Documentation Index
> Fetch the complete documentation index at: https://docs.krea.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# SAML SSO Setup
> Configure SAML Single Sign-On for your Krea Enterprise workspace to enable secure, centralized authentication for your team.
**Krea Enterprise Only** — SAML SSO is available exclusively for Krea Enterprise customers. [Contact our sales team](mailto:sales@krea.ai) to learn more about Enterprise plans.
This guide walks you through configuring SAML Single Sign-On (SSO) for your Krea workspace. Once configured, users with email addresses from your verified domain can log in using your organization's identity provider (IdP).
## Prerequisites
Before you begin, ensure you have:
Complete [Domain Verification](/user-guide/help-and-support/domain-verification) first
You must be a **workspace owner** or **admin**
Admin access to your IdP (Okta, Google Workspace, etc.)
Active Krea Enterprise subscription
## Step 1: Get Krea's Service Provider Details
After completing domain verification, the setup modal will display the SAML configuration section.
You'll need these two values to configure your identity provider:
| Field | Value |
| ---------------- | -------------------------------------------------- |
| **ACS URL** | `https://superb.krea.ai/auth/v1/sso/saml/acs` |
| **Entity ID** | `https://superb.krea.ai/auth/v1/sso/saml/metadata` |
| **Metadata XML** | `https://superb.krea.ai/auth/v1/sso/saml/metadata` |
Click the **copy icon** next to each URL in the modal to copy them exactly.
## Step 2: Configure Your Identity Provider
Create a SAML application in your identity provider using the values from Step 1.
Log in to your Okta Admin Console (typically `https://your-org.okta.com/admin`) and go to **Applications** → **Applications** in the sidebar.
Click **Create App Integration**.
Select **SAML 2.0** as the sign-in method and click **Next**.
Enter **Krea** as the App name.
Optionally upload a logo for easy identification.
Click **Next**.
Enter the following values:
| Field | Value |
| --------------------------- | -------------------------------------------------- |
| Single sign-on URL | `https://superb.krea.ai/auth/v1/sso/saml/acs` |
| Audience URI (SP Entity ID) | `https://superb.krea.ai/auth/v1/sso/saml/metadata` |
| Name ID format | **EmailAddress** |
| Application username | **Email** |
Click **Next**.
On the Feedback page, select "I'm an Okta customer adding an internal app" and click **Finish**.
On the application page, go to the **Sign On** tab.
Scroll down to **SAML Signing Certificates** and find the **Metadata URL**. Click **Actions** → **View IdP metadata** to get the URL.
Go to the **Assignments** tab and assign the users or groups who should have access to Krea.
Reference: [Okta Help - Create SAML App Integrations ↗](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_saml.htm)
Log in to [Google Admin Console ↗](https://admin.google.com) with a super administrator account.
Go to **Apps** → **Web and mobile apps**.
Click **Add app** → **Add custom SAML app**.
Enter **Krea** as the app name and optionally upload a logo.
Click **Continue**.
On the **Google Identity Provider details** page, you have two options:
**Option 1 (Recommended):** Click **Download Metadata** to download the XML file.
**Option 2:** Copy the **SSO URL**, **Entity ID**, and download the **Certificate**.
Click **Continue**.
Enter the following values:
| Field | Value |
| -------------- | -------------------------------------------------- |
| ACS URL | `https://superb.krea.ai/auth/v1/sso/saml/acs` |
| Entity ID | `https://superb.krea.ai/auth/v1/sso/saml/metadata` |
| Name ID format | **EMAIL** |
| Name ID | **Basic Information > Primary email** |
Click **Continue**.
You can skip attribute mapping for basic SSO setup.
Click **Finish**.
On the app details page, click **User access**.
Select **ON for everyone** (or configure for specific organizational units).
Click **Save**.
Google Workspace doesn't provide a publicly accessible metadata URL. You'll need to use the **Metadata XML** option in Krea (see Step 3).
Reference: [Google Workspace Admin Help - Set Up Custom SAML App ↗](https://support.google.com/a/answer/6087519)
## Step 3: Connect Your IdP to Krea
Back in the Krea modal, provide your IdP's metadata:
**Best for:** Okta and other IdPs that provide a public metadata URL
1. In the Krea modal, select the **URL** tab
2. Paste your IdP's **Metadata URL** into the text field
3. Click **Save changes**
Using a URL allows Krea to automatically fetch updated certificates when your IdP rotates them.
**Best for:** Google Workspace or if your metadata URL isn't publicly accessible
1. Open the downloaded SAML metadata XML file in a text editor
2. Copy all the contents
3. In the Krea modal, select the **Metadata XML** tab
4. Paste the XML content into the text area
5. Click **Save changes**
If you use XML, you'll need to manually update it when your IdP rotates certificates.
## Step 4: Test Your Configuration
Use a fresh incognito/private browser window to avoid cached sessions.
Navigate to [krea.ai/login ↗](https://krea.ai/login)
On the login page, click the **SSO** button to initiate SAML authentication.
Krea does not automatically redirect based on your email domain. You must click the **SSO** button to use SAML authentication. Users can still log in with email and password if they have one set.
Type an email address from your verified domain (e.g., `you@acme.com`)
You should be redirected to your organization's login page.
After successful authentication, you'll be logged into Krea.
**Success!** If you can log in, your SAML SSO is configured correctly. Invite your team members to use the SSO button with their work email to sign in.
## Enforce SAML SSO
Once SSO is configured and tested, you can enforce it for all users with your verified domain. This ensures everyone in your organization authenticates through your identity provider.
Navigate to [Workspace Settings ↗](https://www.krea.ai/settings/workspace-settings) and scroll to the **Single Sign-On (SSO)** section.
Find the **SSO Enforcement** toggle on the SSO card for your verified domain.
Click the toggle to enable SSO enforcement.
Review the confirmation dialog and confirm to enable enforcement.
**When enforcement is enabled:**
* All users with your verified domain will be required to sign in through your identity provider
* Password and magic link login will be disabled for these users
* Current sessions will continue until the user's next login, at which point they must use SSO
### Disabling Enforcement
If you need to disable SSO enforcement:
1. Go to [Workspace Settings ↗](https://www.krea.ai/settings/workspace-settings)
2. In the **Single Sign-On (SSO)** section, find the **Enforce SSO** toggle
3. Click the toggle to disable enforcement
4. Users will regain the ability to log in with password or magic link
Disabling enforcement does not disable SSO itself—users can still choose to log in via SSO using the SSO button on the login page.
## Troubleshooting
* **Check URLs** — Ensure ACS URL and Entity ID are exactly as shown (no trailing slashes)
* **Verify metadata access** — If using a URL, make sure it's publicly accessible
* **Try XML instead** — If the URL doesn't work, download and paste the XML directly
* **Check certificate expiry** — Expired IdP certificates will cause configuration to fail
* **Click SSO button** — Users must click the SSO button on the login page (not just enter their email)
* **Assign users in IdP** — Users must be assigned to the Krea SAML app in your IdP
* **Check Name ID** — Verify Name ID is set to email/EmailAddress format in your IdP
* **Verify email domain** — User emails must match the verified domain exactly
* **Check user provisioning** — Users may need to be invited to the Krea workspace first
* **Clock skew** — Ensure your IdP server's clock is accurate (within 5 minutes of actual time)
* **Assertion conditions** — Check that the SAML assertion's NotBefore/NotOnOrAfter conditions are valid
* **Signature issues** — Verify the correct certificate is being used
* **Clear cookies** — Clear all Krea-related cookies and try again
* **Check ACS URL** — Ensure there are no typos in the ACS URL configured in your IdP
* **Verify domain** — Confirm the domain verification is still active
## Managing SSO
### Viewing SSO Status
1. Go to [Workspace Settings ↗](https://www.krea.ai/settings/workspace-settings)
2. Scroll to the **Domain Management** section
3. The SSO card shows:
* **Enabled** status with a green indicator
* Your verified **domain**
* **Configure** button to modify settings
### Updating IdP Metadata
If you need to update your IdP metadata (e.g., after certificate rotation):
1. Go to [Workspace Settings ↗](https://www.krea.ai/settings/workspace-settings)
2. In the **Domain Management** section, click **Configure** on the SSO card
3. Update the metadata URL or XML
4. Click **Save changes**
### Disabling SSO
Disabling SSO will require all users to log in with email and password. Make sure users have passwords set before disabling.
1. Go to [Workspace Settings ↗](https://www.krea.ai/settings/workspace-settings)
2. In the **Domain Management** section, click **Configure** on the SSO card
3. Click **Disable SSO** at the bottom of the modal
4. Confirm the action
## Need Help?
Contact our enterprise support team at **[support@krea.ai](mailto:support@krea.ai)**
Questions about Enterprise plans? Email **[sales@krea.ai](mailto:sales@krea.ai)**