Use SAML single sign-on (SSO) to let users log in to Calendly with their identity provider. This makes signing in faster, more secure, and easier to manage.
For example, you can:
- Let users access Calendly through any SAML-based provider.
- Help IT and security teams manage users more easily.
Calendly supports the SAML 2.0 protocol and works with most enterprise identity providers (IdPs). You can follow these steps for any IdP—even if it’s not listed above.
Before you begin
- You must be a Calendly owner or admin.
- Use the same email address in Calendly and your IdP.
- Open Calendly and your IdP in two browser tabs for easier setup.
- Calendly doesn’t support Just-in-Time (JIT) provisioning. Use SCIM instead to manage users.
Configure SAML SSO in Calendly
Enter your IdP info in Calendly
- In Calendly, go to Admin center > Login > Single sign-on.
- Under Step 1, enter the following info from your IdP:
IdP setting Calendly field Required? Notes Issuer or Entity ID Entity ID Yes Also called “Issuer URL” or “Issuer ID” SSO URL Identity provider's SAML HTTP Request URL Yes Also called “Login URL” or “SAML 2.0 Endpoint” x.509 certificate X.509 certificate for SAML authentication Yes Must be in PEM format
- Choose Save & continue.
Configure your identity provider
Add these Calendly values in your IdP settings
| IdP setting | Value | Required? | Notes |
| Audience | Calendly’s Audience URL | Yes | May also be called “Entity ID” |
| ACS URL | Calendly’s ACS URL | Yes | Also known as “Reply URL” or “Callback URL” |
| Recipient/Destination | Calendly’s ACS URL | Yes | Some IdPs fill this in automatically |
| Request Binding |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
Yes | May be shown as “POST” |
| Default Relay State | Calendly’s Default Relay State | Yes if using IdP-initiated login | Needed to log in from your IdP dashboard |
| Assertion Signature | SHA256 | Yes | Required |
| Response Signature | SHA256 | No | Optional |
| Encrypted Assertion | Not supported | No | Calendly doesn't support this |
| Name ID | User’s email address | Yes | Must match Calendly email |
| Name ID Format |
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress or unspecified
|
Yes |
Use either option |
Set attribute mappings
Add these exact attribute names in your IdP:
| Name | Required? | Description |
email |
Yes | User’s main email address |
firstName |
Yes | User’s first name |
lastName |
Yes |
User’s last name |
Assign user access
Update your IdP rules so the right people can access Calendly.
Test the connection
- In Calendly, turn on Enable SSO for yourself.
- Select Test connection.
- If the test works, you’ll see a success banner.
- If it fails, check that:
- The user’s IdP email matches their Calendly email.
- The attributes in your IdP are mapped correctly.
Enforce SSO for your organization
- In your IdP, assign the Calendly app to all users.
- In Calendly, select Enforce SAML SSO for my organization, then choose Apply.
Note: This logs out everyone. They must sign in using SAML SSO. The org owner can still log in with their original method by choosing Log in using another method.