Skip to main content

Overview

This guide explains how to configure SAML 2.0 authentication for your env zero organization using the self-service SSO configuration. You can use this with any SAML-compatible identity provider.

Prerequisites

Edit Organization Settings permission is required to configure SSO.
Before proceeding, ensure you’ve accessed the SSO configuration in Organization Settings > SSO tab and selected SAML as described in the Self-Service SSO Integration guide.

Required SAML Settings

Configure the following in your SAML identity provider:
  • ACS URL (Assertion Consumer Service URL): https://login.app.env0.com/login/callback?connection={YOUR_ENV0_ORG_ID}
    • Replace {YOUR_ENV0_ORG_ID} with your organization ID (found in Organization > Settings tab)
  • Entity ID / Audience URL: urn:auth0:env0:{YOUR_ENV0_ORG_ID}
    • Replace {YOUR_ENV0_ORG_ID} with your organization ID
  • Name ID Format: Unspecified or urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified

Required Attribute Mappings

Configure the following attribute mappings in your SAML provider:
Attribute NameDescriptionRequired
emailUser’s email addressYes
firstNameUser’s first nameYes
lastNameUser’s last nameYes
nameUser’s full nameYes
groups or teamsUser’s group/team membership (for team syncing)No

Completing the Self-Service Form

1

Configure SAML Application

Set up the SAML application in your identity provider using the required SAML settings and attribute mappings above.
2

Enter Provider Details

In the env zero self-service form, enter:
  • Identity Provider Single Sign-on URL (SSO URL)
  • X.509 Certificate (download from your identity provider)
3

Complete Configuration

Complete the remaining steps in the self-service form and save your configuration.

Provider-Specific Guides

For detailed setup instructions for specific SAML providers, see:
If your SAML provider is not listed, we support all SAML providers. Follow the general configuration above, or contact [email protected] for assistance.

Teams Syncing

Teams SyncingTeams will be synced each time a user logs in with the following logic:
  1. env zero will create a new team if one doesn’t exist based on the group name received from the SAML provider.
  2. If the team exists in env zero, we will not create a new team.
  3. We will assign the user to all the teams in env zero based on the group names they are part of in the SAML provider.
  4. If the user was removed from a group in the SAML provider, we will remove them from the team in env zero.
Learn more: Sync Roles & Groups From Your IdP