How to set up SAML SSO with your identity provider

Note

If you are on our Teams plan and would like to add single sign-on (SSO) features to your Calendly account, you can do so from your billing page. The SSO add-on costs $3 per user, per month. 

Calendly supports SAML 2.0 for enterprise identity providers (IdPs) like Okta, OneLogin, Azure, and more. Follow the steps below for SSO setup.

Calendly supports any enterprise identity provider (IdP) using the SAML 2.0 protocol. We have tested and documented SAML SSO setup instructions for the following identity providers: OktaOneLoginPing IdentityAuth0Microsoft Azure, Duo, and Microsoft AD FS.

For identity providers Calendly has not formally tested or documented, these steps apply to any IdP using SAML 2.0, including CyberArk, Google Workspace, JumpCloud, or Central Authentication Service.

Since steps may vary by identity provider, consult documentation from your identity provider for more information.

Before you begin

  • SAML SSO is available for accounts on the Enterprise plan or Teams plan with the SSO add-on.

  • You must be a Calendly account owner or admin to set up SAML SSO. 

  • You must use the same email address in Calendly and your identity provider.

  • During setup, it’s best to have Calendly and your identity provider open in separate browser windows. 

Supported SSO types

  • Identity Provider Initiated SSO (IdP-initiated) is supported.

    • Users can log in to their identity provider and select the Calendly app.

    • Only available if your identity provider supports a Default Relay State.

  • Service Provider Initiated SSO (SP-initiated) is supported.

    • Users can log in via calendly.com, and your identity provider will authenticate the user.

  • Just-in-Time (JIT) user creation is not supported. Enterprise users can provision users with SCIM.

How to set up SAML SSO with your identity provider

Step 1 – Configure Calendly

  1. In Calendly, go to your Admin center, select Login, then select Single sign-on.

  2. To configure Calendly, copy values from your identify provider, and paste them in Calendly under Step 1: Enter your identity provider information.

    • You'll need to following information from your identity provider: their Entity ID, SSO URL, and x.509 certificate. See the table below for more details.

  3. Select Save & continue.
Identity provider value Calendly field Required Notes

Issuer

Entity ID Yes

This is a unique name the IdP uses for SAML 2.0.

Your IdP may refer to this as:

  • Issuer URL
  • Identity Provider Issuer
  • Issuer ID
  • Entity ID
Single sign-on URL Identity provider's SAML HTTP Request URL Yes

Upon sign-in, Calendly will redirect members to this URL so your IdP can authenticate them.

Your IdP may refer to this as:

  • Single Signon Service
  • Identity Provider Login URL
  • SAML 2.0 Endpoint (HTTP)
  • Login URL

x.509 certificate (must be in PEM format)

X.509 certificate for SAML authentication

Yes This certificate allows Calendly to verify requests from your IdP.

Step 2 – Configure your identity provider

To configure your identity provider, enter the below values in your identity provider.

Identity provider setting Value Required Notes
Audience Calendly’s Audience URL Yes

Your identity provider may refer to this as:

  • Entity ID
  • Identifier
Assertion Consumer Service Calendly’s ACS URL Yes

Your identity provider may refer to this as:

  • Single sign on URL
  • Reply URL
  • Application Callback URL
  • SAML Consumer URL
Recipient/ Destination Calendly’s ACS URL Yes

Your identity provider may use:

  • a field called ‘recipient’ or ‘destination’
  • a checkbox to enable sending the ACS as the recipient and destination
  • no field or checkbox. In this case, the IdP automatically sends the ACS URL as the recipient and destination.
Request Binding

urn:oasis:names:tc:SAML:

2.0:bindings:HTTP-POST

Yes This may be shortened to POST in the identity provider's settings.
Default Relay State Calendly's Default Relay State Yes Default Relay State is only required if you want to perform Identity Provider Initiated Sign-on. If you don’t configure Default Relay State, your users will need to go directly to calendly.com to sign in.
Assertion Signature SHA256 Yes The Assertion must be signed with a SHA256 signature.
Response Signature SHA256 No The Response may be signed with a SHA256 signature.
Encrypted Assertion N/A No Encrypted Assertions are currently not supported.
Name ID User’s primary email address Yes The unique identifier for the individual.
Name ID Format

urn:oasis:names:tc:SAML:

1.1:nameid-format:unspecified

or

urn:oasis:names:tc:SAML:

1.1:nameid-format:emailAddress

Yes  

Step 3 – Configure attributes in your IdP

In your identity provider, configure the attributes with the names below.

NOTE: These attribute names are case sensitive and must match exactly

Name Required Description
email Yes The user’s primary email address
firstName Yes The user’s given name
lastName Yes The user’s surname

Step 4 – Assign user access

 If your identity provider has any application restrictions for users, update those rules so you and the appropriate users can use Calendly.

Step 5 – Test the connection

In Calendly, select Enable SSO for yourself, select Test connection. If successful, you'll see a confirmation.

Screenshot 2023-10-11 at 10.13.52 AM.png

  • If successful, you’ll see a success banner at the top of the page in Calendly.

  • If unsuccessful, you’ll see an error page in your SSO provider or receive an error notification in Calendly.
    An example of this message in Calendly:

    SAML error message.png
    • If the you see this error message, you should either:
      1. check the user that they are logged in with on their IdP

      2. check the attribute mapping in their IDP for the email attribute.

Step 6 – Enforce SSO for your organization

When you enforce SAML SSO for your organization, Calendly will log you and all users out and require you authenticate with your identity provider.

  1. In your identity provider, assign the app to all Calendly users.

  2. In Calendly, select Enforce SAML SSO for my organization, then Apply.

    Screenshot 2023-10-11 at 10.14.09 AM.png

    Once SSO is enforced, all users will be logged out and need to use SAML SSO to log into Calendly. Only the organization owner can log in using their fallback (original) login method by selecting Log in using another method on the login page.