To manage the Members of your Team through a third-party identity provider like Okta or Auth0, you can set up the SAML Single Sign-On feature in the Team Settings.

For this, your Team must be on the Enterprise plan and you must be an Owner.

Afterwards, all Team Members will be able to log in using your identity provider (which you can also enforce), and, just like with the Team Email Domain feature, any new users signing up with SAML will automatically be added to your Team.

If needed, you can then also automatically issue Personal Accounts with specific roles within your Team by setting up Directory Sync.

Configuring SAML SSO

First, navigate to your Team Settings from the Dashboard tabs:

Selecting the Settings tab from the dashboard.

Select the Security section in the sidebar:

Selecting the Security menu item from the Team Settings page.

Here, you can configure SAML SSO for your Team:

The SAML SSO settings for a Team.

Clicking "Configure" will open a walkthrough that helps you configure SAML SSO for your Team with your Identity Provider.

Some of the many SAML SSO providers supported in the configuration walkthrough.

After completing the steps of the configuration walkthrough, SAML will be successfully configured for your Team.

Authenticating with SAML SSO

Once you have configured SAML, your Team Members can use SAML SSO to log in or sign up to Vercel. Click "Continue with SAML SSO" on the authentication page, then enter your Team's slug.

Your Team slug is the identifier in the URLs for your Team. e.g. vercel.com/acme is acme.

Logging in with SAML SSO for a Team.

Click "Continue with SAML SSO" again and you will be redirected to your third-party authentication provider to finish authenticating. Once completed, you will be logged into Vercel.

SAML SSO sessions last for 24 hours before users must re-authenticate with the third-party SAML Provider (unless Directory Sync is configured).

Enforcing SAML

For additional security, SAML SSO can be enforced for a Team so that all Team Members cannot access any Team information unless their current session was authenticated with SAML SSO.

You can only enforce SAML SSO for a Team if your current session was authenticated with SAML SSO. This ensures that your configuration is working properly before tightening access to your Team information, as you could otherwise lose access to the Team.

SAML SSO configured and enforced.

Note: When modifying your SAML Configuration, the option for enforcing will automatically be turned off. Please verify your new configuration is working correctly by re-authenticating with SAML SSO before re-enabling the option.

Directory Sync

Directory Sync helps Teams manage their organization membership from a third-party identity provider like Google Directory or Okta. Like SAML, Directory Sync is only available for Enterprise Teams and can only be configured by Team Owners.

When Directory Sync is configured, changes to your Directory Provider will automatically be synced with your Vercel Team Members. For example, if a new user is added to your Okta directory, that user will automatically be invited to join your Vercel Team. If a user is removed, they will automatically be removed from the Vercel Team.

You can configure a mapping between your Directory Provider's groups and a Vercel Team role. For example, your "Engineers" group on Okta can be configured with the Member role on Vercel, and your "Admin" group can use the Owner role.

Configuring Directory Sync

First, navigate to your Team Settings from the Dashboard tabs:

Selecting the Settings tab from the dashboard.

Select the Security section in the sidebar:

Selecting the Security menu item from the Team Settings page.

Here, you can configure Directory Sync for your Team:

The Directory Sync settings for a Team.

Clicking "Configure" will open a walkthrough that helps you configure Directory Sync for your Team with your Directory Provider.

Some of the many Directory Providers supported in the configuration walkthrough.

After completing the steps of the configuration walkthrough, configure how Directory Groups should map to Vercel Team roles:

Setting the Okta Admins group as Vercel Owners and the Engineers group asVercel Members.

Finally, an overview of all synced members is shown before you complete the syncing:

An overview of Team Owners and Members that will be added.

Once confirmed, Directory Sync will be successfully configured for your Vercel Team.