Sanka
Back to SankaLogin

SAML SSO

Set up SAML single sign-on for a Sanka workspace, add SSO users, and troubleshoot login, domain, and access issues.

Last updated: May 28, 2026

Use this guide when your workspace signs in with SAML single sign-on. It explains what Sanka needs for setup, how SSO users are added, what login behavior to expect, and how to troubleshoot common domain, seat, and access issues before treating them as product bugs.

What SAML SSO does

SAML SSO lets workspace users sign in through your identity provider instead of a Sanka password. In Sanka, SSO affects:
  • The SSO sign-in tab on the login page.
  • Domain checks that send users to the correct identity provider.
  • Workspace user creation for people who should use SSO.
  • Password login and password reset behavior for SSO-only users.
  • Access troubleshooting when the email domain, user record, workspace seat, or identity provider assignment is not ready.
Sanka currently supports Okta-led SAML setup. Contact Sanka support if you need to confirm support for another identity provider.

Setup information to prepare

Before Sanka support configures SSO, prepare:
  • Workspace name and workspace owner contact.
  • Email domain that should use SSO, such as example.com.
  • Identity provider name, such as Okta.
  • Identity provider sign-in URL.
  • Identity provider entity ID.
  • Identity provider certificate.
  • The email attribute that Sanka should use to identify the user.
  • A test user who belongs to the domain and is assigned to the Sanka application in the identity provider.
  • Whether the workspace should require SSO-only login.
Do not send certificates or sensitive identity provider details through an insecure channel. Use the secure process provided by Sanka support.

Ask AI for a setup checklist

AI can help prepare a checklist and support response, but it should not invent identity provider values or change workspace access rules.
Sample prompt
/sanka Prepare a SAML SSO setup checklist for a Sanka workspace. Include the workspace owner, email domain, identity provider, sign-in URL, entity ID, certificate, email attribute, test user, SSO-only decision, seat availability, and validation steps. Do not invent missing identity provider values or change user access.

Set up SSO with Sanka support

  1. Contact Sanka support and request SAML SSO setup for the workspace.
  2. Share the workspace name, email domain, identity provider, and required SAML metadata through the secure support process.
  3. In your identity provider, create or open the Sanka application.
  4. Add the service provider entity ID and reply URL supplied by Sanka support.
  5. Configure the email attribute so Sanka receives the user's email address.
  6. Assign a small test group before rolling out to the whole company.
  7. Ask Sanka support to confirm when the domain is registered and ready for testing.

Add SSO users

After the domain is registered, workspace admins can add SSO users from the user invitation flow.
  1. Open Workspace > Users.
  2. Choose the option to add a SAML user.
  3. Enter the user's name and email address.
  4. Confirm the email domain matches the registered SSO domain.
  5. Confirm the workspace has an available seat.
  6. Add the user, then ask the user to sign in from the SSO tab.
If the email domain is not registered for SSO, Sanka should reject the SAML user creation and ask you to use another email address or finish the SSO setup first.

Expected login behavior

SituationExpected behavior
User enters an SSO-supported email domainSanka can redirect the user to the identity provider from the SSO sign-in flow.
Email domain is not registeredSanka should show that the domain is not supported for SSO.
Workspace requires SSO-only loginEmail and password login should be blocked for users in that workspace.
User was created as an SSO userPassword login and password reset should be blocked; the user should use SSO.
User is not assigned in the identity providerThe identity provider may reject login even when Sanka's domain setup is correct.
Workspace has no available seatsAdding a new SSO user should fail until a seat is available or the plan is updated.

Validate before rollout

Search Sanka...
SAML SSO checkpoints

Logs

Search logsAll actionsAll dates
ID / ActionDateTarget / ItemChangeActor
1Domain registeredMay 23, 2026SAML SSOWorkspace domain and identity provider metadata reviewedWorkspace admin
2Test user addedMay 23, 2026Workspace usersTest user email domain matched SSO domain and a seat was availableWorkspace admin
3SSO login verifiedMay 23, 2026LoginTest user signed in through the identity provider before rolloutIT admin

Use these checks before requiring SSO-only login or inviting the full team. Most SSO issues come from domain, identity provider assignment, certificate, email attribute, or seat setup.

Run these checks:
  1. Confirm the SSO tab recognizes a test user's email domain.
  2. Confirm the test user reaches the identity provider sign-in page.
  3. Confirm the identity provider returns the expected email address.
  4. Confirm the user lands in the correct Sanka workspace.
  5. Confirm password login is blocked only for users and workspaces that should be SSO-only.
  6. Confirm password reset is not offered as the recovery path for SSO-only users.

Troubleshoot SSO issues

IssueWhat to check
SSO domain is not supportedConfirm the email domain was registered with Sanka support and that the user entered the correct work email.
User cannot be added as a SAML userCheck the email format, registered domain, user permissions, workspace seat availability, and whether the user already exists.
Login redirects to the identity provider but fails thereCheck identity provider assignment, group membership, app status, certificate, and email attribute mapping.
User signs in but reaches the wrong workspaceConfirm the email address, workspace membership, and whether the user belongs to multiple Sanka workspaces.
Password login is blockedConfirm whether the workspace requires SSO-only login or the user was created as an SSO user.
Password reset is blockedSSO users should recover access through the identity provider, not Sanka password reset.
SSO worked before but stoppedCheck certificate rotation, identity provider app changes, domain changes, and whether the user was removed from the identity provider group.

AI-safe support guidance

When a customer reports an SSO issue, AI should first classify it as setup, domain, identity provider assignment, user provisioning, seat availability, SSO-only enforcement, or password recovery behavior. It should not propose a code change until those checks are complete.
Sample prompt
/sanka Review this SAML SSO issue before drafting a reply or code change. Check the user's email domain, whether SSO is registered for that domain, identity provider assignment, email attribute mapping, certificate changes, SSO-only workspace setting, workspace membership, seat availability, and password reset expectations. Summarize expected behavior, missing evidence, and next user-safe checks. Do not change access rules or propose a code change without human approval.
AI can safely draft a customer reply that explains which setup item to verify next. It should ask for human review before changing workspace access, adding users, enabling SSO-only login, or treating an identity provider rejection as a Sanka product bug.
PreviousHow to Invite and Manage Users and PermissionsNextWorkspace Settings