SSO is a feature only available for Airtable Enterprise payment plans. If you are interested in inquiring about enterprise pricing, you can contact us here.
This article is intended for administrators setting up SSO for their teams. Before adding your SSO metadata (sign-in URL and x509 certificate) via the admin panel, you need to first retrieve it from your SSO identity provider, following one of the following articles:
- Then, go to the admin panel and click on the "settings" tab. There, you should see a section called "SSO configuration" under which you can add or edit SSO identity provider metadata for each of the email domains federated under your enterprise account:
- Click "edit identity provider metadata" to edit the metadata of an identity provider. You can only do so when SSO is in optional mode, to prevent locking users out. You can toggle SSO between optional and required mode using the buttons "make SSO optional" and "require SSO and log out all sessions", respectively:
Troubleshooting / common issues
-
The NameID must be the user’s email address
-
The NameID format can be EmailAddress or unspecified
-
After editing your identity provider metadata, the changes may take up to 5 minutes to take effect.
-
You can only add identity provider metadata for email domains federated under your enterprise account.
-
We only allow one set of identity provider metadata per email domain, globally. This means that if another enterprise account has already provided identity provider metadata for one of your email domains, you will need to talk to the admins of that account if you want to change the metadata.
-
If you are trying to switch SSO from optional mode to required mode for your own email domain after editing the SSO identity provider metadata, we require that you verify that the metadata values you've provided are correct, by first logging out and logging back in using SSO.