LiyaSupport
Security & Compliance

SSO / SAML 2.0 setup

Configure Single Sign-On with your identity provider so your team logs in via your corporate credentials.

8 min read Updated July 2026
SSO / SAML is available on the Enterprise plan. Contact [email protected] to enable it for your workspace.

Supported identity providers

Identity providerProtocolGuide available
OktaSAML 2.0Yes — see below
Microsoft Entra ID (Azure AD)SAML 2.0 / OIDCYes — see below
Google Workspace (SSO)SAML 2.0Yes — see below
Auth0SAML 2.0Yes
OneLoginSAML 2.0Yes
Ping IdentitySAML 2.0Yes
Any SAML 2.0 providerSAML 2.0Generic setup below

SAML configuration values

When configuring Liya in your identity provider, you'll need the following values:

FieldValue
Entity ID (Audience URI)https://app.liyasupport.com/saml/metadata
ACS URL (Reply URL)https://app.liyasupport.com/auth/saml/callback/YOUR_WORKSPACE_ID
Single Logout URLhttps://app.liyasupport.com/auth/saml/logout
Name ID formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
BindingHTTP-POST

Replace YOUR_WORKSPACE_ID with your workspace ID from Settings → General → Workspace ID.

Or download the SP metadata XML:

xml
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    entityID="https://app.liyasupport.com/saml/metadata">
  <md:SPSSODescriptor>
    <md:AssertionConsumerService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      Location="https://app.liyasupport.com/auth/saml/callback/YOUR_WORKSPACE_ID"
      index="0" />
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Setting up SSO with Okta

1

Create a new SAML app in Okta

In your Okta Admin Console, go to Applications → Create App Integration. Select SAML 2.0 and click Next.

2

Configure the SAML settings

On the SAML settings screen, enter:

  • Single sign-on URL: https://app.liyasupport.com/auth/saml/callback/YOUR_WORKSPACE_ID
  • Audience URI (SP Entity ID): https://app.liyasupport.com/saml/metadata
  • Name ID format: EmailAddress
  • Application username: Email
3

Add attribute statements

Add the following SAML attribute mappings (required for Liya to identify users correctly):

SAML attribute nameValue
emailuser.email
firstNameuser.firstName
lastNameuser.lastName
4

Assign users or groups

In the Assignments tab, assign the Liya app to the users or groups that should have access. Only assigned users can log in to LiyaSupport via SSO.

5

Copy the IDP metadata URL

From the Sign On tab in Okta, click View SAML setup instructionsand copy the IDP Metadata URL.

6

Enter the IDP metadata URL in Liya

In LiyaSupport, go to Settings → Security → SSO. Paste the Okta metadata URL into the Identity Provider Metadata URL field and click Save.

7

Test SSO login

Click Test SSO. This opens a new tab and redirects to Okta. Sign in with a test account that has the Liya app assigned. You should be redirected back and logged in.


Setting up SSO with Microsoft Entra ID (Azure AD)

1

Create an enterprise application

In Microsoft Entra Admin Center, go to Enterprise applications → New application → Create your own application. Name it "LiyaSupport" and select Integrate any other application you don't find in the gallery.

2

Set up SAML

Go to Single sign-on → SAML. In the Basic SAML Configuration, enter:

  • Identifier (Entity ID): https://app.liyasupport.com/saml/metadata
  • Reply URL (ACS URL): https://app.liyasupport.com/auth/saml/callback/YOUR_WORKSPACE_ID
3

Add user attributes

In Attributes & Claims, ensure these claims are mapped:

Claim nameSource attribute
emailuser.mail
firstNameuser.givenname
lastNameuser.surname
4

Download App Federation Metadata XML

In SAML Certificates, click Download next to Federation Metadata XML.

5

Upload the metadata to Liya

In LiyaSupport Settings → Security → SSO, upload the downloaded XML file using the Upload metadata file option.


Enforcing SSO for all users

Once SSO is configured and tested, you can enable Enforce SSO in Settings → Security → SSO. After this is enabled:

  • All users (including Owners) must log in via your identity provider
  • Email/password login is disabled for your workspace
  • The "Sign in with Google" button is hidden (unless your IDP is Google)
Before enforcing SSO, ensure at least one Owner account is successfully logging in via SSO. If SSO is misconfigured after enforcement, contact [email protected] — we can disable SSO enforcement from the admin side.

Just-in-time (JIT) provisioning

With JIT provisioning enabled, a new Liya user account is automatically created the first time a user authenticates via SSO — no need to manually invite each team member first.

New JIT-provisioned users are assigned the Agent role by default. You can change the default role in Settings → Security → SSO → JIT role.

SCIM provisioning

Enterprise workspaces can also configure SCIM 2.0 for automated user provisioning and de-provisioning from your identity provider. When a user is removed from your IDP, they are automatically deactivated in Liya.

See Role-based access for instructions on configuring SCIM.