02 / Implementation Guide Enterprise integration
Configure SAML 2.0 single sign-on
Let users sign in to Meridian with your existing identity provider, so credentials and access policies stay centrally managed.
How it works
Meridian acts as the service provider (SP). When a user signs in, Meridian redirects them to your identity provider (IdP) for authentication. On success, the IdP returns a signed SAML assertion, and Meridian creates or updates the user's session based on the attributes it contains.
Prerequisites
| Requirement | Detail |
|---|---|
| Admin access | Meridian Org Owner role and IdP administrator rights. |
| Signing certificate | X.509 public certificate from your IdP (PEM format). |
| User email match | The IdP must send the user's email as the NameID. |
Configure the service provider
- In Meridian, go to Admin → Security → Single sign-on and copy the two SP values shown:
- ACS URL —
https://app.meridian.io/sso/acs - Entity ID —
https://app.meridian.io/sso/metadata
- ACS URL —
- In your IdP, create a new SAML application and paste the ACS URL and Entity ID from the previous step.
- Map the following attributes in the IdP so Meridian can provision users correctly:
| SAML attribute | Maps to | Required |
|---|---|---|
NameID | User email | Yes |
firstName | Given name | Yes |
groups | Role assignment | Optional |
- Download the IdP metadata (or signing certificate) and upload it in Meridian under Single sign-on → Upload IdP metadata.
- Set Enforcement to
Optionalfor the pilot, then switch toRequiredafter verification.
!
CautionDo not set enforcement to
Required until at least one administrator has signed in successfully via SSO. Keep a break-glass local admin account to avoid lockout.Verify the integration
- Open an incognito browser window and go to your Meridian URL.
- Click Sign in with SSO. You should be redirected to your IdP and back.
- Confirm the new session shows
Auth: SAMLunder My account → Sessions.
Troubleshooting
| Symptom | Likely cause | Resolution |
|---|---|---|
| "Invalid signature" | Certificate mismatch | Re-upload the current IdP certificate. |
| "User not found" | NameID not an email | Update the IdP NameID format to emailAddress. |