Skip to main content

How to Configure Single Sign-On (SSO)

A step-by-step guide for IT teams to enable SAML 2.0 single sign-on for SINAI using your existing identity provider.

Updated over a month ago

SINAI supports Single Sign-On (SSO) using SAML 2.0. Any SAML-compliant identity provider can be used, including Microsoft Entra ID (Azure AD), Okta, Google Workspace, Ping Identity, and OneLogin.


Once enabled, users can sign in to SINAI using their existing corporate credentials managed through your identity provider. Users can authenticate either from their identity provider portal or through the SINAI login page.

Requirements

Before starting, make sure:

  • Your organization has a SAML 2.0 identity provider

  • Your IT team can create new SAML applications

  • Your team can share identity provider metadata with SINAI (metadata URL or XML file)

⚠️ If your identity provider supports multiple email domains (eg, sinai.com and sinaitechnologies.com), you will need to let SINAI know which domains should be enabled for SSO.

Each email domain can be associated with only one SINAI organization.

If users from the same domain need to access multiple SINAI organizations, please inform SINAI before configuring SSO.

1. Contact SINAI to start SSO setup

Contact your SINAI Climate Success Manager to begin SSO configuration.

SINAI will provide the required SAML configuration details, including:

  • Service Provider Entity ID

  • Assertion Consumer Service (ACS) URL

  • Required attribute mappings

2. Create a SAML application in your identity provider

Create a new SAML application in your identity provider using the configuration details provided by SINAI.

During this step you will typically:

  • Configure the Entity ID and ACS URL

  • Set up user attribute mappings

  • Assign users or groups who should have access to SINAI

3. Configure attribute mappings

Your identity provider may refer to these as attributes, claims, or SAML assertions.

SINAI requires the following user attributes:

  • email

  • given_name

  • family_name

If your identity provider uses different attribute names, SINAI can help confirm the correct mapping during testing.

4. Send identity provider metadata to SINAI

Once your identity provider configuration is complete, provide SINAI with your identity provider metadata.

You can send either:

  • Identity Provider Metadata URL (preferred)

  • Metadata XML file

SINAI will use this information to establish the trust relationship between your identity provider and the SINAI platform.

5. Test the SSO connection

⚠️ SINAI recommends performing live testing with your IT team on a call to validate the configuration.

During testing, we will:

  • Confirm the SSO login flow works

  • Verify user attributes are passed correctly

  • Troubleshoot any configuration issues if needed

Once testing is complete, SSO can be enabled for your organization.

Supported Identity Providers

SINAI works with any SAML 2.0 identity provider, including:

  • Microsoft Entra ID (Azure AD)

  • Okta

  • Google Workspace

  • Ping Identity

  • OneLogin

  • Auth0

Other providers should work as long as they support standard SAML 2.0 authentication.

User access and account creation

Users must have an existing SINAI user account before they can sign in using SSO.

To grant access:

  1. Create the user in SINAI using their corporate email address, or

  2. Ensure the user has previously been invited to the organization.

Once SSO is enabled, users assigned to the SINAI SAML application in your identity provider will be able to authenticate using their corporate credentials.

If a user attempts to sign in but does not have a SINAI account, they will not be able to access the platform.

Troubleshooting SSO login issues

If users cannot sign in after SSO is enabled, the following checks may help:

Verify attribute mappings

Confirm your identity provider is sending the required attributes:

  • email

  • given_name

  • family_name

The email value must match the user's SINAI account email address.

Confirm the user is assigned to the SAML application

Most identity providers require users or groups to be assigned to the application before they can authenticate.

If a user is not assigned, the identity provider may block login.

Check domain configuration

Ensure the user's email domain matches the domain configured for your SINAI organization.

Contact SINAI if you are locked out

If SSO configuration prevents users from signing in, SINAI can temporarily disable SSO so users can log in using email and password while the issue is resolved.


Still need help?

If you need assistance with SSO configuration, contact your Climate Success Manager. SINAI is happy to coordinate directly with your IT team during setup and testing.

Did this answer your question?