SAML Single Sign-On

Learn how to configure SAML SSO for your organization on Vercel.
Table of Contents

SAML is available on Enterprise plans

Those with the owner role can access this feature

To manage the members of your team through a third-party identity provider like Okta or Auth0, you can set up the Security Assertion Markup Language (SAML) feature from your team's settings.

Once enabled, all team members will be able to log in, or access Preview and Production Deployments, using your selected identity provider and, similar to the team email domain feature, any new users signing up with SAML will automatically be added to your team.

If needed, you can also automatically assign a users Hobby team with a specific role within your team by setting up Directory Sync.

The SAML SSO settings for a Team.
The SAML SSO settings for a Team.
  1. To configure SAML SSO for your team, you must be an owner of the team
  2. From your dashboard, ensure your team is selected in the scope selector
  3. Navigate to the Settings tab and select Security & Privacy
  4. Navigate to the SAML Single Sign-On section. Click Configure and follow the walkthrough to configure SAML SSO for your team with your identity provider of choice
  5. As a further step, you may want to enforce SAML SSO for your team

Do you need to enable SAML SSO for your team?

This feature is available on the Enterprise plan

Contact Sales

For additional security, SAML SSO can be enforced for a team so that all team members cannot access any team information unless their current session was authenticated with SAML SSO.

  1. To enforce SAML SSO for your team, you must be an owner and currently be authenticated with SAML SSO. This ensures that your configuration is working properly before tightening access to your team information
  2. From your dashboard, navigate to the Settings tab and select Security & Privacy. Then go to the SAML Single Sign-On section
  3. Toggle the Require Team Members to login with SAML switch to Enabled
SAML SSO configured and enforced.
SAML SSO configured and enforced.

When modifying your SAML configuration, the option for enforcing will automatically be turned off. Please verify your new configuration is working correctly by re-authenticating with SAML SSO before re-enabling the option.

Once you have configured SAML, your team members can use SAML SSO to log in or sign up to Vercel. To login:

  1. Select the Continue with SAML SSO button on the authentication page, then enter your team's URL. Your team slug is the identifier in the URLs for your team. For example, the identifier for vercel.com/acme is acme.
  2. Select Continue with SAML SSO again to be redirected to the third-party authentication provider to finish authenticating. Once completed, you will be logged into Vercel.

SAML SSO sessions last for 24 hours before users must re-authenticate with the third-party SAML provider (unless Directory Sync is configured).

You can choose to share a Vercel login page that only shows the option to log in with SAML SSO. This prevents your team members from logging in with an account that's not managed by your identity provider.

To use this page, you can set the saml query param to your team URL. For example:

https://vercel.com/login?saml=team_id
Vercel's login page showing only the SAML SSO login button.
Vercel's login page showing only the SAML SSO login button.

Vercel is SCIM compliant and therefore when a user is removed from your SAML provider, they are automatically offboarded from Vercel.

Vercel supports the following third-party SAML providers:

Last updated on September 26, 2024