Skip to main content
All samples
02 / Implementation Guide Enterprise integration

Configure SAML 2.0 single sign-on

Let users sign in to Meridian with your existing identity provider, so credentials and access policies stay centrally managed.

Audience
IT / identity administrators
Format
Configuration guide
Standards
SAML 2.0, SP-initiated

How it works

Meridian acts as the service provider (SP). When a user signs in, Meridian redirects them to your identity provider (IdP) for authentication. On success, the IdP returns a signed SAML assertion, and Meridian creates or updates the user's session based on the attributes it contains.

Prerequisites

RequirementDetail
Admin accessMeridian Org Owner role and IdP administrator rights.
Signing certificateX.509 public certificate from your IdP (PEM format).
User email matchThe IdP must send the user's email as the NameID.

Configure the service provider

  1. In Meridian, go to Admin → Security → Single sign-on and copy the two SP values shown:
    • ACS URLhttps://app.meridian.io/sso/acs
    • Entity IDhttps://app.meridian.io/sso/metadata
  2. In your IdP, create a new SAML application and paste the ACS URL and Entity ID from the previous step.
  3. Map the following attributes in the IdP so Meridian can provision users correctly:
SAML attributeMaps toRequired
NameIDUser emailYes
firstNameGiven nameYes
groupsRole assignmentOptional
  1. Download the IdP metadata (or signing certificate) and upload it in Meridian under Single sign-on → Upload IdP metadata.
  2. Set Enforcement to Optional for the pilot, then switch to Required after verification.
!
CautionDo not set enforcement to Required until at least one administrator has signed in successfully via SSO. Keep a break-glass local admin account to avoid lockout.

Verify the integration

  1. Open an incognito browser window and go to your Meridian URL.
  2. Click Sign in with SSO. You should be redirected to your IdP and back.
  3. Confirm the new session shows Auth: SAML under My account → Sessions.

Troubleshooting

SymptomLikely causeResolution
"Invalid signature"Certificate mismatchRe-upload the current IdP certificate.
"User not found"NameID not an emailUpdate the IdP NameID format to emailAddress.