Note
If you are on our Teams plan and would like to add single sign-on (SSO) features to your Calendly account, you can do so from your billing page. The SSO add-on costs $3 per user, per month.
Calendly supports SAML 2.0 for enterprise identity providers (IdPs) like Okta, OneLogin, Azure, and more. Follow the steps below for SSO setup.
Calendly supports any enterprise identity provider (IdP) using the SAML 2.0 protocol. We have tested and documented SAML SSO setup instructions for the following identity providers: Okta, OneLogin, Ping Identity, Auth0, Microsoft Azure, Duo, and Microsoft AD FS.
For identity providers Calendly has not formally tested or documented, these steps apply to any IdP using SAML 2.0, including CyberArk, Google Workspace, JumpCloud, or Central Authentication Service.
Since steps may vary by identity provider, consult documentation from your identity provider for more information.
Before you begin
-
SAML SSO is available for accounts on the Enterprise plan or Teams plan with the SSO add-on.
-
You must be a Calendly account owner or admin to set up SAML SSO.
-
You must use the same email address in Calendly and your identity provider.
-
During setup, it’s best to have Calendly and your identity provider open in separate browser windows.
Supported SSO types
-
Identity Provider Initiated SSO (IdP-initiated) is supported.
-
Users can log in to their identity provider and select the Calendly app.
-
Only available if your identity provider supports a Default Relay State.
-
-
Service Provider Initiated SSO (SP-initiated) is supported.
-
Users can log in via calendly.com, and your identity provider will authenticate the user.
-
-
Just-in-Time (JIT) user creation is not supported. Enterprise users can provision users with SCIM.
How to set up SAML SSO with your identity provider
Step 1 – Configure Calendly
-
In Calendly, go to your Admin center, select Login, then select Single sign-on.
-
To configure Calendly, copy values from your identify provider, and paste them in Calendly under Step 1: Enter your identity provider information.
-
You'll need to following information from your identity provider: their Entity ID, SSO URL, and x.509 certificate. See the table below for more details.
-
- Select Save & continue.
Identity provider value | Calendly field | Required | Notes |
Issuer |
Entity ID | Yes |
This is a unique name the IdP uses for SAML 2.0. Your IdP may refer to this as:
|
Single sign-on URL | Identity provider's SAML HTTP Request URL | Yes |
Upon sign-in, Calendly will redirect members to this URL so your IdP can authenticate them. Your IdP may refer to this as:
|
x.509 certificate (must be in PEM format) |
X.509 certificate for SAML authentication |
Yes | This certificate allows Calendly to verify requests from your IdP. |
Step 2 – Configure your identity provider
To configure your identity provider, enter the below values in your identity provider.
Identity provider setting | Value | Required | Notes |
Audience | Calendly’s Audience URL | Yes |
Your identity provider may refer to this as:
|
Assertion Consumer Service | Calendly’s ACS URL | Yes |
Your identity provider may refer to this as:
|
Recipient/ Destination | Calendly’s ACS URL | Yes |
Your identity provider may use:
|
Request Binding |
urn:oasis:names:tc:SAML: 2.0:bindings:HTTP-POST |
Yes | This may be shortened to POST in the identity provider's settings. |
Default Relay State | Calendly's Default Relay State | Yes | Default Relay State is only required if you want to perform Identity Provider Initiated Sign-on. If you don’t configure Default Relay State, your users will need to go directly to calendly.com to sign in. |
Assertion Signature | SHA256 | Yes | The Assertion must be signed with a SHA256 signature. |
Response Signature | SHA256 | No | The Response may be signed with a SHA256 signature. |
Encrypted Assertion | N/A | No | Encrypted Assertions are currently not supported. |
Name ID | User’s primary email address | Yes | The unique identifier for the individual. |
Name ID Format |
urn:oasis:names:tc:SAML: 1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML: 1.1:nameid-format:emailAddress |
Yes |
Step 3 – Configure attributes in your IdP
In your identity provider, configure the attributes with the names below.
NOTE: These attribute names are case sensitive and must match exactly
Name | Required | Description |
Yes | The user’s primary email address | |
firstName | Yes | The user’s given name |
lastName | Yes | The user’s surname |
Step 4 – Assign user access
If your identity provider has any application restrictions for users, update those rules so you and the appropriate users can use Calendly.
Step 5 – Test the connection
In Calendly, select Enable SSO for yourself, select Test connection. If successful, you'll see a confirmation.
-
If successful, you’ll see a success banner at the top of the page in Calendly.
-
If unsuccessful, you’ll see an error page in your SSO provider or receive an error notification in Calendly.
An example of this message in Calendly:
- If the you see this error message, you should either:
-
check the user that they are logged in with on their IdP
-
check the attribute mapping in their IDP for the email attribute.
-
- If the you see this error message, you should either:
Step 6 – Enforce SSO for your organization
When you enforce SAML SSO for your organization, Calendly will log you and all users out and require you authenticate with your identity provider.
-
In your identity provider, assign the app to all Calendly users.
-
In Calendly, select Enforce SAML SSO for my organization, then Apply.
Once SSO is enforced, all users will be logged out and need to use SAML SSO to log into Calendly. Only the organization owner can log in using their fallback (original) login method by selecting Log in using another method on the login page.