An overview of SAML single sign-on (SSO) for your organization

Note

If you are on our Teams plan and would like to add single sign-on (SSO) features to your Calendly account, you can do so from your billing page. The SSO add-on costs $3 per user, per month. 

Single sign-on (SSO) offers a simple and secure way for users to access Calendly. With SSO enabled, users can authenticate with their corporate credentials. From a security standpoint, this eliminates weak password use, reduces the need to remember passwords, and provides more control.

Calendly supports Security Assertion Markup Language (SAML) for single sign-on, and supports any enterprise identity provider (IdP) using the SAML 2.0 protocol.

Features

Supported features

  • Service Provider Initiated SSO (SP-initiated) : Users can log in to calendly.com, and your IdP will authenticate the user.

  • Identity Provider Initiated SSO (IdP-initiated): Users can log in to your IdP and select the Calendly app.

Non-supported features

  • Just-in-Time (JIT) provisioning is not supported. You can provision users via SCIM. 

Who can enable SSO

Typically, an IT admin is the best person to set up SCIM. To enable SCIM, you will need to use a Calendly Enterprise account that belongs to an owner or admin. 

How to enable SSO

Supported identity providers 

Calendly supports any enterprise identity provider using the SAML 2.0 protocol. Identity providers we have tested and documented include:

For other identity providers, follow the steps in How to set up SAML SSO with your identity provider.

If your company has multiple Calendly accounts

When you set up SSO, you enable SSO for all members within the Calendly account. If your company has multiple Calendly accounts, you'll need to set up SSO for each account.

If you want user sessions to expire

You can control how long members are signed in to Calendly before they need to re-authenticate. Session duration resets with user activity, so users will not be logged out when they're active. The session defaults to 21 days without activity, but you can reduce this time to match the security needs of your organization. 

If you have guest accounts in Calendly

You should not enable SSO if your Calendly account contains users that are not in your identity provider. If you enable SSO, these users will not be able to log in to Calendly.

If you want to use multi-factor authentication

You can set up multi-factor authentication within your IdP.

Inform your members that you've enabled SSO

We recommend that you send an email to inform your members that SSO is enabled. Feel free to make use of the template below. If you'd like to share steps on how to sign in to calendly.com with SSO (rather than sign in from your IdP), you can include How to sign in using single sign-on.

Subject: [ Action Required ] Log back in to Calendly

Hi,

This is to let you know that [ Your Organization Name ] is changing to the way we access Calendly. Going forward you’ll be able to log in to Calendly using your [ IdP ] credentials.
We made this change so you can access Calendly and other applications using the same username and password (this way you don’t have to remember multiple passwords). If you're unable to log in using your [IdP] username and password, please let your network administrator know.

Thank you,
[ Signature ]

What to expect after you enable SSO

Once you enable SSO, all members will be logged out of Calendly and will need to use SSO to log in. This includes members on Calendly’s web and mobile apps.

Log in with another method

As an owner or admin, you have the option to Log in using another method. This will prompt you to log in with your original method. Use this option if you cannot log in with your identity provider, and need to disable SAML SSO for the organization.

log_in_using_another_method.png

Connected calendars and integrations

Enabling SSO does not impact calendar connections or integrations. Members are not required to use their corporate SSO credentials for calendars or integrations. Members can connect on their Calendar Connections page and Integrations page.

Adding members

You'll need to add any new members in your identity provider and Calendly's Admin Management page. New members will be prompted to log in with SSO. Note: members must accept their email invitation to join Calendly before they can log in. 

Removing members

If SSO is enabled (but SCIM is not), you will need to remove a user from two places: your identity provider and the Calendly Admin Management page. To remove users in Calendly, view remove users and paid seats. If you'd like to automatically add and remove users, you can enable SCIM.

Once removed from your account, the user will have access to their free, solo Calendly account. They can log in with their original login method or a new method, depending on whether or not they had a Calendly account prior to joining your account. For example, if they originally used Google OAuth, they'll be prompted to log in with Google. 

Changing emails

If a user wants to update the email address they use with Calendly, you'll need to:

  1. Update their email address in your IdP.
  2. Reach out to Calendly support and share their new email address.