SSO/SAML Access

Organization users can log in to Prevail through SSO integration using their client Organization credentials rather than directly signing in with an email and password on the Prevail site.

Microsoft Entra and Google Workspace corporate Identity Provider OAuth2 integration does not require configuration and users can log by selecting Continue with Google or Continue with Microsoft on the login page.

• Enable SSO/SAML
  • 1. Obtain Your SAML Configuration File
  • 2. Send Your SAML File to Prevail
  • 3. Configure Your Identity Provider
  • 4. Perform Test Group Integration
  • 5. Perform Final Testing and Login
• Manage SSO Options
  • Restrict SSO Options for Users
  • Require Single Sign-On (SSO)
  • Configure SAML Authentication Requirements
    • SAML Identity Assurance Level (IAL)
    • SAML MFA Required

Enable SSO/SAML

Prevail can integrate with any Security Assertion Markup Language Identity Provider (SAML IdP), including Microsoft Entra, Google Workspace, and Okta. SAML offers additional security and administration features, such as sharing user groups and group memberships. SAML integration requires a setup process for each enterprise. In the SAML model, Prevail serves as the Service Provider (SP), and the enterprise supplies the IdP, whether that’s internal to the enterprise or a third-party such as Entra or Okta.

1. Obtain Your SAML Configuration File

The first step in setting up SAML integration is to prepare your SAML configuration file. While the exact details may vary slightly between IdPs, this file must contain, at a minimum, the Entity ID, X509 certificate, and endpoint URLs. Below is an example configuration file:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     entityID="https://accounts.google.com/o/saml2?idpid=C03m0b1w1"
                     validUntil="2026-04-15T17:13:09.000Z">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false"
                       protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
            MIIDdDCCAlygAwIBAgIyaddayaddayaddau3CTSH4YihqnkQkNhD6H9fsInau+ROtC7V
            <!-- Certificate content truncated for brevity -->
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>
      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    </md:NameIDFormat>
    <md:SingleSignOnService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
      Location="https://accounts.google.com/o/saml2/idp?idpid=C03m0b1w1" />
    <md:SingleSignOnService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      Location="https://accounts.google.com/o/saml2/idp?idpid=C03m0b1w1" />
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

For guidance on creating your SAML file, consult the documentation for your IdP. You can reference the following instructions for a few of the most popular IdPs:

• Okta SAML Documentation
• Microsoft Entra SAML Documentation
• Google Workspace SAML Documentation

2. Send Your SAML File to Prevail

After preparing your SAML file, forward it to the Prevail Support team to proceed with the integration setup. This file does not contain PII or private certificates, so it does not need to be kept secret.

3. Configure Your Identity Provider

Download Prevail’s Service Provider metadata. This file contains essential information such as the ACS (Assertion Consumer Service) URI and Entity ID. Use this file to configure the Service Provider in Your Identity Provider:

1. Create a new SAML integration in your IdP’s admin dashboard using your Entity ID/Connection ID and ACS Assertion Consumer Service (ACS) URL. Contact Customer Success at CustomerSuccess@prevail.ai for assistance if needed.
   • Entity ID/Connection ID: https://prevail.ai/users/saml/metadata
   • Assertion Consumer Service (ACS) URL: https://prevail.ai/users/saml/auth
2. Verify the ACS URI and Entity ID match correctly. Some Identity Providers can directly consume the SP metadata file, while others may require you to manually extract information from the file and enter it into appropriate fields. Refer to your IdP's documentation on how to create a new SAML integration.
3. Provide user attributes to align user data from your IdP with what Prevail expects. Here are the default attributes. If your attributes differ, let us know:
   • first_name
   • last_name
   • email
4. Provide the SAML attribute name for groups if your Organization uses groups. The default attribute is typically "groups," but this may vary depending on your Identity Provider (IdP). This information is essential for setting up group assignments correctly within Prevail.
5. Decide on the merge style to determine whether each SAML login should replace the group names passed or merge them with existing org member groups. The "merge style" setting controls how group memberships are managed. If your IdP passes the full list of groups on each login, setting the merge style to "replace" is recommended to keep group assignments accurate. Discuss this setting with the Prevail support team during the SAML setup to choose the option that best fits your Organization's needs.

4. Perform Test Group Integration

After setting up group attributes, perform a test login to verify that group assignments are accurately reflected in Prevail. Check that users are placed into the appropriate groups according to your configuration. If group assignments do not align with expectations, or if there are any issues with the integration, contact Prevail support for further assistance at CustomerSuccess@prevail.ai.

5. Perform Final Testing and Login

After completing the SAML configuration, perform a final test login to confirm that the integration is functioning as expected. This includes verifying that the SSO process works and that users can log in using their enterprise credentials.

If the SSO integration does not function as expected, contact Customer Success at CustomerSuccess@prevail.ai for assistance.

Manage SSO Options

Organization administrators can control how users authenticate with Prevail by restricting SSO provider connections and requiring enterprise login.

Restrict SSO Options for Users

To prevent Organization users from linking to external SSO providers, Organization administrators can disable SSO connection options from the Organization settings. On the user’s Password & Security page, options to link Google and Microsoft SSO connections are disabled. An alert message informs the user that their Organization requires enterprise login (SAML) and existing Google and Microsoft SSO connections cannot be used for signing in.

1. Log into your Prevail account.
2. On the Navigation menu, click Organizations.
3. Click the Organization name.
4. Click the Pencil icon.
5. In the Security Settings section, select Hide SSO Options for Members.
6. Click Save Changes.

   Organization users can no longer connect new SSO providers from the Password & Security page.

Require Single Sign-On (SSO)

To ensure all Organization users log in to Prevail through their Organization’s SSO, configure your Organization to block direct log in attempts from personal accounts. When SSO is required, users with an email address linked to your Organization’s domain must log in through the Organization’s SSO.

1. Log into your Prevail account.
2. On the Navigation menu, click Organizations.
3. Click the Organization name.
4. Click the Pencil icon.
5. Select Block direct login.
6. Click Save Changes.

Configure SAML Authentication Requirements

Organization administrators can set identity assurance and multi-factor authentication (MFA) requirements for users who log in through SAML. These settings configure the default authentication requirements for your Organization’s Sessions.

SAML Identity Assurance Level (IAL)

The SAML Identity Assurance Level (IAL) sets the level of identity verification required to access your Organization’s Sessions. If you are unsure which level your Identity Provider supports, leave the IAL on its default selection. Selecting IAL2 when your provider only supports IAL1 will prevent users from accessing Sessions.

• IAL1 — Standard authentication without real-world identity verification. Appropriate for most Organizations using providers like Okta or Microsoft Entra.
• IAL2 — Your Identity Provider has confirmed each user’s real-world identity through methods such as document verification or facial matching. Typically only available through government Identity Providers such as Login.gov with identity proofing enabled.

SAML MFA Required

To require multi-factor authentication for your Organization’s Sessions, select SAML MFA Required. When selected, users must log in with MFA to access Sessions. Users who log in without MFA will be unable to join Sessions. Only select this option if your Identity Provider requires MFA for all users. If MFA is optional or only enabled for some users, leave this unselected.

1. Log into your Prevail account.
2. On the Navigation menu, click Organizations.
3. Click the Organization name.
4. Click the Pencil icon.
5. In the Security Settings section, select the appropriate SAML Identity Assurance Level (IAL) from the dropdown.
6. If your Identity Provider enforces MFA for all users, select SAML MFA Required.
7. Click Save Changes.