Skip to content
SAML SSO
4 min read

SAML Single Sign-On

Table of Contents
Choose a framework to optimize documentation to:

    SAML is available on Enterprise plans

    Those with the owner role can access this feature

    To manage the members of your team through a third-party identity provider like Okta or Auth0, you can set up the Security Assertion Markup Language (SAML) feature from the team settings.

    To enable this feature, the team must be on the Enterprise plan and you must hold an owner role.

    All team members will be able to log in using your identity provider (which you can also enforce), and similar to the team email domain feature, any new users signing up with SAML will automatically be added to your team.

    If needed, you can then also automatically assign a users Hobby account with a specific role within your team by setting up Directory Sync.

    The SAML SSO settings for a Team.
    The SAML SSO settings for a Team.

    Configuring SAML SSO

    SAML can be configured from the team settings, under the SAML Single Sign-On section. Clicking Configure will open a walkthrough that helps you configure SAML SSO for your team with your identity provider of choice.

    After completing the steps, SAML will be successfully configured for your team.

    Do you need to enable SAML SSO for your team?

    This feature is available on the Enterprise plan

    Contact Sales

    Authenticating with SAML SSO

    Once you have configured SAML, your team members can use SAML SSO to log in or sign up to Vercel. Click "Continue with SAML SSO" on the authentication page, then enter your team's slug.

    Your team slug is the identifier in the URLs for your team. For example, the identifier for vercel.com/acme is acme.

    Logging in with SAML SSO for a Team.
    Logging in with SAML SSO for a Team.

    Click Continue with SAML SSO again and you will be redirected to your third-party authentication provider to finish authenticating. Once completed, you will be logged into Vercel.

    SAML SSO sessions last for 24 hours before users must re-authenticate with the third-party SAML provider (unless Directory Sync is configured).

    Customizing the login page

    You can customize your Vercel login page which only shows the option to log in with the SAML SSO button. This prevents your team members from logging in with an account that's not managed by your identity provider.

    Vercel's login page showing only the SAML SSO login button.
    Vercel's login page showing only the SAML SSO login button.

    To use this page, you can set the saml query param to https://vercel.com/login?saml=team_id.

    Enforcing SAML

    For additional security, SAML SSO can be enforced for a team so that all team members cannot access any team information unless their current session was authenticated with SAML SSO.

    You can only enforce SAML SSO for a team if your current session was authenticated with SAML SSO. This ensures that your configuration is working properly before tightening access to your team information, this prevents lose of access to the team.

    SAML SSO configured and enforced.
    SAML SSO configured and enforced.
    When modifying your SAML configuration, the option for enforcing will automatically be turned off. Please verify your new configuration is working correctly by re-authenticating with SAML SSO before re-enabling the option.

    De-provisioning team members

    Vercel is SCIM compliant and therefore when a user is removed from your SAML provider, they are automatically offboarded from Vercel.

    Last updated on November 30, 2023
    Previous
    Access Control
    Next
    HTTPS/SSL
    Choose a framework to optimize documentation to: