With single sign-on (SSO) via SAML, your employees sign in to seven using your company identity provider (IdP) - for example Microsoft Entra ID, Okta, Google Workspace or Keycloak. You set up an SSO configuration for an email domain once. After that, every employee with that domain can sign in through your company's central login.
SSO is aimed at business customers who want to manage access centrally through their own IdP. If you would rather simply sign in without a password using a Google, GitHub or Microsoft account, signing in with Google, GitHub or Microsoft is the right option.
Requirements
- You need the Owner or Administrator role to configure SSO.
- Your company runs a SAML 2.0 capable identity provider.
- You have access to the DNS settings of the email domain you want to use for SSO. Public email providers (e.g. gmail.com) are not allowed.
Setting up SSO
You will find the configuration under Settings → SSO (SAML). The setup consists of three steps: register the service provider details with your IdP, enter your identity provider at seven, and verify the domain.
1. Register the service provider details with your IdP
The Service provider details (seven) section contains the values you register in your identity provider as a new application (service provider):
- SP entity ID - the unique identifier of seven as a service provider.
- ACS URL (assertion consumer service) - the address your IdP posts the sign-in response back to.
- Metadata URL - alternatively, many identity providers can import the service provider details automatically from this URL.
Use the buttons next to the fields to copy the values to your clipboard.
2. Enter your identity provider
In the Identity provider (IdP) section, enter your IdP details:
- Email domain - the domain whose employees may sign in via SSO, for example
company.com. - IdP entity ID - the identifier of your identity provider.
- IdP single sign-on URL - the sign-in URL of your IdP (must start with
https://). - IdP signing certificate (X.509) - the public certificate your IdP uses to sign sign-in responses.
You also decide whether unknown employees are created as members automatically on their first sign-in (see Automatic member creation) and which default role they receive.
Then click Save changes.
3. Verify the domain
After saving, the Domain verification section appears. As long as the domain is not verified, SSO sign-in does not work yet - this ensures that only the actual owner of a domain can enable SSO for it.
Add the displayed TXT record to your domain's DNS and click Verify now. As soon as we find the record, the configuration is marked as verified and SSO is active.
DNS changes can take some time to propagate worldwide. The check then continues automatically every day, but you can also trigger it yourself at any time via Verify now.
Signing in as an employee
Once the domain is verified, your employees sign in as follows:
- Open the sign-in page
dashboard.seven.io. - Click the SSO button below the sign-in form.
- Enter the work email address (e.g.
name@company.com).
seven then forwards the employee to your company's login. After a successful sign-in at the IdP, they land directly in the dashboard.
Alternatively, you can provide your employees internally with the direct link dashboard.seven.io/sso/company.com (using your domain), which starts the sign-in immediately.
Automatic member creation
If automatic member creation is enabled, an employee signing in via SSO for the first time is automatically created as an account member with the configured default role. This means you do not have to invite new employees individually.
If the option is disabled, only employees you have previously added as members can sign in.
People signing in via SSO are always members of your account - they do not get a standalone account. If an employee leaves the company and is deactivated in your IdP, their access to seven ends as well.
Ongoing domain verification
We check the DNS record of your verified domains automatically on a regular basis. If the TXT record is missing for several days, we notify the owner and administrators by email and then disable SSO for the domain. Until then, you have time to restore the record. After restoring it, you can verify the domain again at any time.
Frequently asked questions
Signing in shows "No SSO is configured for this email domain". Check whether the entered email domain exactly matches the configured domain and whether the domain has already been verified.
An employee already has their own seven account with their company email. Can they sign in via SSO? Not automatically. If an email address already belongs to a standalone account or to a member of a different account, the SSO sign-in is rejected - this protects existing accounts from an unintended takeover. Only people who are already members of your account (or newly added when automatic member creation is enabled) can sign in via SSO seamlessly. If employees previously registered themselves with their company email, their existing account first has to be removed or merged. Please contact our support for that.
Does two-factor authentication still apply? Yes. Security mechanisms such as enforced two-factor authentication or the IP whitelist for login also apply when signing in via SSO.
Can a domain be used by several accounts? No. An email domain can only be assigned to one seven account.
What is the difference from signing in with Google, GitHub or Microsoft? With signing in with Google, GitHub or Microsoft, an individual person signs in with their personal account. SSO via SAML is set up centrally by the company for an entire domain and controls access through its own identity provider.