How to set up SAML SSO with your identity provider

Calendly supports any enterprise identity provider (IdP) using the SAML 2.0 protocol.

Calendly has tested and documented SAML SSO setup instructions for the following identity providers: OktaOneLoginPing IdentityAuth0Microsoft Azure, and Duo.

For identity providers Calendly has not formally tested or documented, you can follow the steps in this article to set up SSO. These steps apply to any IdP using SAML 2.0, including CyberArk, Microsoft ADFS, Google Workspace, JumpCloud, or Central Authentication Service.

Since steps may vary by identity provider, consult documentation from your identity provider for more information.

 

In this article

 

Features

  • Identity Provider Initiated SSO (IdP-initiated) 

    • Users can log in to their identity provider and select the Calendly app.

    • Only available if your identity provider supports a Default Relay State.

  • Service Provider Initiated SSO (SP-initiated)

    • Users can log in via calendly.com, and your identity provider will authenticate the user.

  • Just-in-Time (JIT) user creation is not supported. You can provision users with SCIM.

 

Before you start…

  • SAML SSO is only available for accounts on Calendly’s Enterprise plan

  • You must be a Calendly account owner or admin to set up SAML SSO. 

  • You must use the same email address in Calendly and your identity provider.

  • During setup, it’s best to have Calendly and your identity provider open in separate browser windows. 

 

How to set up SAML SSO with your identity provider

1. Configure Calendly

  1. In Calendly, go to AccountOrganization Settings, then Single sign-on.

  2. To configure Calendly, copy values from your identify provider, and paste them in Calendly under Step 1: Enter your identity provider information. You'll need to following information from your identity provider: their Entity ID, SSO URL, and x.509 certificate. See the table below for more details.

  3. Select Save & continue.
Identity provider value Calendly field Required Notes

Issuer

Entity ID Yes

This is a unique name the IdP uses for SAML 2.0.

Your IdP may refer to this as:

  • Issuer URL
  • Identity Provider Issuer
  • Issuer ID
  • Entity ID
Single sign-on URL Identity provider's SAML HTTP Request URL Yes

Upon sign-in, Calendly will redirect members to this URL so your IdP can authenticate them.

Your IdP may refer to this as:

  • Single Signon Service
  • Identity Provider Login URL
  • SAML 2.0 Endpoint (HTTP)
  • Login URL

x.509 certificate (must be in PEM format)

X.509 certificate for SAML authentication

Yes This certificate allows Calendly to verify requests from your IdP.

 

2. Configure your identity provider

To configure your identity provider, enter the below values in your identity provider.

 

Identity provider setting Value Required Notes
Audience Calendly’s Audience URL Yes

Your identity provider may refer to this as:

  • Entity ID
  • Identifier
Assertion Consumer Service Calendly’s ACS URL Yes

Your identity provider may refer to this as:

  • Single sign on URL
  • Reply URL
  • Application Callback URL
  • SAML Consumer URL
Recipient/ Destination Calendly’s ACS URL Yes

Your identity provider may use:

  • a field called ‘recipient’ or ‘destination’
  • a checkbox to enable sending the ACS as the recipient and destination
  • no field or checkbox. In this case, the IdP automatically sends the ACS URL as the recipient and destination.
Request Binding

urn:oasis:names:tc:SAML:

2.0:bindings:HTTP-POST

Yes This may be shortened to POST in the identity provider's settings.
Default Relay State Calendly's Default Relay State Yes Default Relay State is only required if you want to perform Identity Provider Initiated Sign-on. If you don’t configure Default Relay State, your users will need to go directly to calendly.com to sign in.
Assertion Signature SHA256 Yes The Assertion must be signed with a SHA256 signature.
Response Signature SHA256 No The Response may be signed with a SHA256 signature.
Encrypted Assertion N/A No Encrypted Assertions are currently not supported.
Name ID User’s primary email address Yes The unique identifier for the individual.
Name ID Format

urn:oasis:names:tc:SAML:

1.1:nameid-format:unspecified

or

urn:oasis:names:tc:SAML:

1.1:nameid-format:emailAddress

Yes  

 

3. Configure attributes in your IdP

In your identity provider, configure the attributes with the names below. These names must match exactly.

Name Required Description
email Yes The user’s primary email address
firstName Yes The user’s given name
lastName Yes The user’s surname

 

4. Assign user access

 If your identity provider has any application restrictions for users, update those rules so you and the appropriate users can use Calendly.

 

5. Test the connection

In Calendly, under Step Two: Enable SSO for yourself, select Test connection. You will redirected to the identity provider and then back to Calendly.

  • If successful, you’ll see a success banner at the top of the page in Calendly.

  • If unsuccessful, you’ll see an error page on Okta or receive an error notification in Calendly.

6. Enforce SSO for your organization

When you enforce SAML SSO for your organization, Calendly will log you and all users out and require you authenticate with your identity provider.

  1. In your identity provider, assign all Calendly users the app.

  2. In Calendly, select Enforce SAML SSO for my organization.

 

See also:

How to set up SCIM with your identity provider

 

Was this article helpful?
0 out of 1 found this helpful