How to set up SAML SSO with your identity provider


If you are on our Teams plan and would like to add single sign-on (SSO) features to your Calendly account, you can do so from your billing page. The SSO add-on costs $3 per user, per month. 



Calendly supports any enterprise identity provider (IdP) using the SAML 2.0 protocol.

Calendly has tested and documented SAML SSO setup instructions for the following identity providers: OktaOneLoginPing IdentityAuth0Microsoft Azure, Duo, and Microsoft AD FS.

For identity providers Calendly has not formally tested or documented, you can follow the steps in this article to set up SSO. These steps apply to any IdP using SAML 2.0, including CyberArk, Google Workspace, JumpCloud, or Central Authentication Service.

Since steps may vary by identity provider, consult documentation from your identity provider for more information.


  • Identity Provider Initiated SSO (IdP-initiated) 

    • Users can log in to their identity provider and select the Calendly app.

    • Only available if your identity provider supports a Default Relay State.

  • Service Provider Initiated SSO (SP-initiated)

    • Users can log in via, and your identity provider will authenticate the user.

  • Just-in-Time (JIT) user creation is not supported. You can provision users with SCIM.

How to set up SAML SSO with your identity provider

Before you begin…

  • SAML SSO is only available for accounts on Calendly’s Enterprise plan

  • You must be a Calendly account owner or admin to set up SAML SSO. 

  • You must use the same email address in Calendly and your identity provider.

  • During setup, it’s best to have Calendly and your identity provider open in separate browser windows. 

Step 1. Configure Calendly

  1. In Calendly, go to your Admin center, select Login, then select Single sign-on.

  2. To configure Calendly, copy values from your identify provider, and paste them in Calendly under Step 1: Enter your identity provider information. You'll need to following information from your identity provider: their Entity ID, SSO URL, and x.509 certificate. See the table below for more details.

  3. Select Save & continue.
Identity provider value Calendly field Required Notes


Entity ID Yes

This is a unique name the IdP uses for SAML 2.0.

Your IdP may refer to this as:

  • Issuer URL
  • Identity Provider Issuer
  • Issuer ID
  • Entity ID
Single sign-on URL Identity provider's SAML HTTP Request URL Yes

Upon sign-in, Calendly will redirect members to this URL so your IdP can authenticate them.

Your IdP may refer to this as:

  • Single Signon Service
  • Identity Provider Login URL
  • SAML 2.0 Endpoint (HTTP)
  • Login URL

x.509 certificate (must be in PEM format)

X.509 certificate for SAML authentication

Yes This certificate allows Calendly to verify requests from your IdP.

Step 2. Configure your identity provider

To configure your identity provider, enter the below values in your identity provider.

Identity provider setting Value Required Notes
Audience Calendly’s Audience URL Yes

Your identity provider may refer to this as:

  • Entity ID
  • Identifier
Assertion Consumer Service Calendly’s ACS URL Yes

Your identity provider may refer to this as:

  • Single sign on URL
  • Reply URL
  • Application Callback URL
  • SAML Consumer URL
Recipient/ Destination Calendly’s ACS URL Yes

Your identity provider may use:

  • a field called ‘recipient’ or ‘destination’
  • a checkbox to enable sending the ACS as the recipient and destination
  • no field or checkbox. In this case, the IdP automatically sends the ACS URL as the recipient and destination.
Request Binding



Yes This may be shortened to POST in the identity provider's settings.
Default Relay State Calendly's Default Relay State Yes Default Relay State is only required if you want to perform Identity Provider Initiated Sign-on. If you don’t configure Default Relay State, your users will need to go directly to to sign in.
Assertion Signature SHA256 Yes The Assertion must be signed with a SHA256 signature.
Response Signature SHA256 No The Response may be signed with a SHA256 signature.
Encrypted Assertion N/A No Encrypted Assertions are currently not supported.
Name ID User’s primary email address Yes The unique identifier for the individual.
Name ID Format







Step 3. Configure attributes in your IdP

In your identity provider, configure the attributes with the names below.

NOTE: These attribute names are case sensitive and must match exactly

Name Required Description
email Yes The user’s primary email address
firstName Yes The user’s given name
lastName Yes The user’s surname

Step 4. Assign user access

 If your identity provider has any application restrictions for users, update those rules so you and the appropriate users can use Calendly.

Step 5. Test the connection

In Calendly, under Step Two: Enable SSO for yourself, select Test connection. You will redirected to the identity provider and then back to Calendly.

  • If successful, you’ll see a success banner at the top of the page in Calendly.

  • If unsuccessful, you’ll see an error page on Okta or receive an error notification in Calendly. An example of this message in Calendly:

    • If the you see this error message, you should either:
      1. check the user that they are logged in with on their IdP

      2. check the attribute mapping in their IDP for the email attribute.

Step 6. Enforce SSO for your organization

When you enforce SAML SSO for your organization, Calendly will log you and all users out and require you authenticate with your identity provider.

  1. In your identity provider, assign all Calendly users the app.

  2. In Calendly, select Enforce SAML SSO for my organization.