SAML SSO setup
Configure SAML single sign-on for MailSlurp organizations using your identity provider (IdP) such as Okta, Azure AD / Entra ID, Active Directory, or Cognito.
Use this page when you are:
- Enabling SSO for a team organization.
- Disabling email-login flows and enforcing IdP-based access.
- Configuring provider metadata and certificate settings.
For organization structure, roles, and governance patterns see:
Before you start
- Ensure your subscription plan supports SAML sign-in.
- Create the target organization in the MailSlurp dashboard.
- Confirm your IdP admin has permission to create and configure enterprise applications.
Setup steps
1. Upgrade account for SSO
Ensure you have a plan that supports SAML sign-in or follow the upgrade guide if you don't.
2. Create an organization
Create an organization in the MailSlurp app.
3. Open SAML settings for the organization
Click the SAML settings tab on the organization overview:
Or click the configure SAML link in the access portal card:
4. Add service provider data to your IdP
Create an application or service provider in your identity provider using MailSlurp service provider data. You can copy values directly from the dashboard or download XML metadata and upload it to your IdP.
In Okta, service provider details are added like this:
Then complete SAML field configuration:
5. Copy IdP SAML data back into MailSlurp
Retrieve IdP SAML configuration values (issuer URL, login URL, certificate, etc.) from your provider and paste them into MailSlurp SAML settings.
In Okta, setup data can be located like this:
Typical IdP setup values:
MailSlurp SAML configuration with IdP values:
6. Verify all entries carefully
Make sure provider values match exactly. Configure AuthnContext and digest/signature algorithms as required by your IdP policy.
7. Save and test login
Save SAML settings and test login from the organization page:
Login flows
- IdP initiated login via your identity provider app tile.
- SP initiated login via
https://enterprise.mailslurp.com/login?slug=[YOUR_SLUG]. - Organization finder fallback via
https://app.mailslurp.com/organization/[YOUR_SLUG](if enabled).
Service provider reference
Configure your application integration in your identity provider with these SAML endpoints. Add your organization slug where indicated.
| Name | Value |
|---|---|
| Provider name | mailslurp |
| Name ID format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| Audience URI service provider entity ID | mailslurp-enterprise |
| Service provider metadata XML | https://enterprise.mailslurp.com/metadata?slug=[YOUR_SLUG] |
| Assertion consumer service endpoint ACS URL Redirect | https://enterprise.mailslurp.com/saml/[YOUR_SLUG]/ |
| Assertion consumer service endpoint ACS URL Post | https://enterprise.mailslurp.com/saml/[YOUR_SLUG]/ |
Provider notes
Okta
- See the Okta guide
Azure AD / Entra ID
You can configure Active Directory via Azure AD / Entra ID enterprise applications.
Open Entra ID in the Azure portal:
Add a non-gallery application:
On overview choose Set up single sign on:
Select SAML SSO:
Add MailSlurp service provider values:
Then copy IdP values from Azure / Entra ID into MailSlurp SAML settings.
Tips:
- SP binding is
HTTP_POST. - SAML 2.0 endpoint is typically
https://login.microsoftonline.com/<YOUR_TENANT_ID>/saml2. - Identity provider issuer URL is typically
https://sts.windows.net/<YOUR_ID>/. - Use SHA256 for digest and signature where required.
- Provision users in AD/Entra and launch through the configured app.
Troubleshooting checklist
- Verify org slug matches the configured provider app.
- Confirm certificate is valid and unexpired.
- Check NameID format and identifier mapping in both IdP and MailSlurp.
- Ensure user is assigned to the IdP app.
- If email login is disabled, make sure SAML flow is tested first to avoid lockout.
- Contact support if assertion validation still fails after config verification.