Link Search Menu Expand Document

SSO/SAML Integration

If you are using Microsoft Entra or Google Workspace as your corporate Identity Provider, no configuration is needed to log in via OAuth2 integration. Users log in with the Continue with Google or Continue with Microsoft links on the login page.

Prevail can also integrate with any Security Assertion Markup Language Identity Provider (SAML IdP), including Microsoft Entra, Google Workspace, and Okta. SAML offers additional security and administration features, such as sharing user groups and group memberships. SAML integration requires a setup process for each enterprise. In the SAML model, Prevail serves as the Service Provider (SP), and the enterprise supplies the IdP, whether that’s internal to the enterprise or a third-party such as Entra or Okta.

Obtain Your SAML Configuration File

The first step in setting up SAML integration is to prepare your SAML configuration file. While the exact details may vary slightly between IdPs, this file must contain, at a minimum, the Entity ID, X509 certificate, and endpoint URLs. Below is an example configuration file:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     entityID="https://accounts.google.com/o/saml2?idpid=C03m0b1w1"
                     validUntil="2026-04-15T17:13:09.000Z">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" 
                       protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>   
          <ds:X509Certificate>
            MIIDdDCCAlygAwIBAgIyaddayaddayaddau3CTSH4YihqnkQkNhD6H9fsInau+ROtC7V
            1J/7F0gwyWJATeHsTx0 … many more lines …     ayaddanRZX92SnZZPnrWSmTF
          </ds:X509Certificate>
    	 </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>
      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    </md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                            Location="https://accounts.google.com/o/saml2/idp?idpid=C03m0b1w1"
    />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                            Location="https://accounts.google.com/o/saml2/idp?idpid=C03m0b1w1"
    />
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

For guidance on creating your SAML file, consult the documentation for your IdP. You can reference the following instructions for a few of the most popular IdPs:

Send Your SAML File to Prevail

After preparing your SAML file, forward it to the Prevail Support team to proceed with the integration setup. This file does not contain PII or private certificates, so it does not need to be kept secret.

Configure Your Identity Provider

Obtain the Service Provider Metadata from Prevail

Download Prevail’s Service Provider metadata. This file contains essential information such as the ACS (Assertion Consumer Service) URI and Entity ID.

Configure the Service Provider in Your Identity Provider

  1. Create a new SAML integration in your IdP’s admin dashboard using your Entity ID/Connection ID and ACS Assertion Consumer Service (ACS) URL. Contact Customer Success at CustomerSuccess@prevail.ai for assistance if needed.
    • Entity ID/Connection ID: https://prevail.ai/users/saml/metadata
    • Assertion Consumer Service (ACS) URL: https://prevail.ai/users/saml/auth
  2. Verify the ACS URI and Entity ID match correctly. Some Identity Providers can directly consume the SP metadata file, while others may require you to manually extract information from the file and enter it into appropriate fields. Refer to your IdP's documentation on how to create a new SAML integration.
  3. Provide user attributes to align user data from your IdP with what Prevail expects. Here are the default attributes. If your attributes differ, let us know:
    • first_name
    • last_name
    • email
  4. Provide the SAML attribute name for groups if your organization uses groups. The default attribute is typically "groups," but this may vary depending on your Identity Provider (IdP). This information is essential for setting up group assignments correctly within Prevail.
  5. Decide on the merge style to determine whether each SAML login should replace the group names passed or merge them with existing org member groups. The "merge style" setting controls how group memberships are managed. If your IdP passes the full list of groups on each login, setting the merge style to "replace" is recommended to keep group assignments accurate. Discuss this setting with the Prevail support team during the SAML setup to choose the option that best fits your organization's needs.

Test Group Integration

After setting up group attributes, perform a test login to verify that group assignments are accurately reflected in Prevail. Check that users are placed into the appropriate groups according to your configuration. If group assignments do not align with expectations, or if there are any issues with the integration, contact Prevail support for further assistance at CustomerSuccess@prevail.ai.

Final Testing and Login

After completing the SAML configuration, perform a final test login to confirm that the integration is functioning as expected. This includes verifying that the SSO process works and that users can log in using their enterprise credentials.

If the SSO integration does not function as expected, contact Customer Success at CustomerSuccess@prevail.ai for assistance.

Log in Using SSO

Learn how to log in to Prevail with your organization using your enterprise credentials.