SSO / SAML 2.0 setup
Configure Single Sign-On with your identity provider so your team logs in via your corporate credentials.
Supported identity providers
| Identity provider | Protocol | Guide available |
|---|---|---|
| Okta | SAML 2.0 | Yes — see below |
| Microsoft Entra ID (Azure AD) | SAML 2.0 / OIDC | Yes — see below |
| Google Workspace (SSO) | SAML 2.0 | Yes — see below |
| Auth0 | SAML 2.0 | Yes |
| OneLogin | SAML 2.0 | Yes |
| Ping Identity | SAML 2.0 | Yes |
| Any SAML 2.0 provider | SAML 2.0 | Generic setup below |
SAML configuration values
When configuring Liya in your identity provider, you'll need the following values:
| Field | Value |
|---|---|
| Entity ID (Audience URI) | https://app.liyasupport.com/saml/metadata |
| ACS URL (Reply URL) | https://app.liyasupport.com/auth/saml/callback/YOUR_WORKSPACE_ID |
| Single Logout URL | https://app.liyasupport.com/auth/saml/logout |
| Name ID format | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| Binding | HTTP-POST |
Replace YOUR_WORKSPACE_ID with your workspace ID from Settings → General → Workspace ID.
Or download the SP metadata XML:
Setting up SSO with Okta
Create a new SAML app in Okta
In your Okta Admin Console, go to Applications → Create App Integration. Select SAML 2.0 and click Next.
Configure the SAML settings
On the SAML settings screen, enter:
- Single sign-on URL:
https://app.liyasupport.com/auth/saml/callback/YOUR_WORKSPACE_ID - Audience URI (SP Entity ID):
https://app.liyasupport.com/saml/metadata - Name ID format: EmailAddress
- Application username: Email
Add attribute statements
Add the following SAML attribute mappings (required for Liya to identify users correctly):
| SAML attribute name | Value |
|---|---|
| user.email | |
| firstName | user.firstName |
| lastName | user.lastName |
Assign users or groups
In the Assignments tab, assign the Liya app to the users or groups that should have access. Only assigned users can log in to LiyaSupport via SSO.
Copy the IDP metadata URL
From the Sign On tab in Okta, click View SAML setup instructionsand copy the IDP Metadata URL.
Enter the IDP metadata URL in Liya
In LiyaSupport, go to Settings → Security → SSO. Paste the Okta metadata URL into the Identity Provider Metadata URL field and click Save.
Test SSO login
Click Test SSO. This opens a new tab and redirects to Okta. Sign in with a test account that has the Liya app assigned. You should be redirected back and logged in.
Setting up SSO with Microsoft Entra ID (Azure AD)
Create an enterprise application
In Microsoft Entra Admin Center, go to Enterprise applications → New application → Create your own application. Name it "LiyaSupport" and select Integrate any other application you don't find in the gallery.
Set up SAML
Go to Single sign-on → SAML. In the Basic SAML Configuration, enter:
- Identifier (Entity ID):
https://app.liyasupport.com/saml/metadata - Reply URL (ACS URL):
https://app.liyasupport.com/auth/saml/callback/YOUR_WORKSPACE_ID
Add user attributes
In Attributes & Claims, ensure these claims are mapped:
| Claim name | Source attribute |
|---|---|
| user.mail | |
| firstName | user.givenname |
| lastName | user.surname |
Download App Federation Metadata XML
In SAML Certificates, click Download next to Federation Metadata XML.
Upload the metadata to Liya
In LiyaSupport Settings → Security → SSO, upload the downloaded XML file using the Upload metadata file option.
Enforcing SSO for all users
Once SSO is configured and tested, you can enable Enforce SSO in Settings → Security → SSO. After this is enabled:
- All users (including Owners) must log in via your identity provider
- Email/password login is disabled for your workspace
- The "Sign in with Google" button is hidden (unless your IDP is Google)
Just-in-time (JIT) provisioning
With JIT provisioning enabled, a new Liya user account is automatically created the first time a user authenticates via SSO — no need to manually invite each team member first.
New JIT-provisioned users are assigned the Agent role by default. You can change the default role in Settings → Security → SSO → JIT role.
SCIM provisioning
Enterprise workspaces can also configure SCIM 2.0 for automated user provisioning and de-provisioning from your identity provider. When a user is removed from your IDP, they are automatically deactivated in Liya.
See Role-based access for instructions on configuring SCIM.