Enterprise workspaces can require members to sign in through your own identity provider using SAML single sign-on (SSO). This article covers the general setup; provider-specific walkthroughs are linked at the end.
What you need
- Admin access to your Backvera workspace and to your identity provider.
- An identity provider that supports SAML 2.0 – such as Okta, Microsoft Entra ID (Azure AD), Google Workspace, or OneLogin.
Step 1 – Open the SSO wizard in Backvera
Go to Settings > SSO and start the SAML wizard. Keep it open – you will copy values back and forth between Backvera and your identity provider.
Step 2 – Give your identity provider Backvera’s details
Backvera generates the Service Provider (SP) values to paste into your identity provider:
- SP Entity ID – paste this as the Audience / Entity ID.
- ACS (Reply) URL – the assertion consumer / reply URL.
- Metadata URL – or download the metadata XML and import it into your IdP.
Step 3 – Give Backvera your identity provider’s details
From your identity provider, paste back into Backvera:
- IdP Entity ID – the identity provider’s issuer.
- IdP SSO URL – the sign-on URL.
- X.509 certificate (PEM) – the identity provider’s signing certificate, which Backvera uses to verify SAML responses.

Step 4 – Map groups to roles
In the Group mappings section, add a mapping for each identity-provider group: enter the IdP group name (an exact, case-sensitive match against your assertion’s group claim) and pick the Backvera role to grant. The roles are chosen from a list – Admin, Global view, or Project (with admin or view per project) – so you never type or guess role names. A priority decides which mapping wins when a member is in more than one mapped group (higher wins). See roles for what each grants.
Step 5 – Enable and test
Save and enable the configuration, then test it by signing in through the SSO page.
How members sign in
Members go to the Sign in with SSO page and enter your workspace slug, then authenticate with your identity provider. When force-SSO is enabled, it governs sign-in for the whole workspace.
Require SSO for everyone (force SSO)
By default, SSO is an additional way for members to sign in. Turn on force SSO for the workspace to require it: every member must sign in through your identity provider, and email-and-password (and social) login is switched off for them. Anyone who tries another method is redirected to sign in with SSO.
The workspace Owner is always exempt. The Owner keeps email-and-password login as a recovery path, so a misconfigured or unavailable identity provider can never lock your whole workspace out. Keep the Owner account secure with a strong password and two-factor authentication.
Provider-specific guides
Still need help? Email our team at [email protected].