Configuring SSO

Our onboarding team will work with your IT team to complete the SSO configuration when your subscription is being set up.

If you're not familiar with your organization's Identity Provider (IdP) and SSO setup, make sure someone who has this information is involved in the SSO setup process.

Overleaf Commons provides a standard SAML-based single sign-on (SSO) option which requires your Identity Provider (IdP) to return a small set of SAML attributes to associate users with their Overleaf accounts and verify their participation in the subscription.

We're a registered Service Provider in UKAMF. Our SAML metadata is available from UKAMF, other affiliated federations, and online.

Configuration process

The SSO configuration process will be explained during your onboarding. You, or someone from your IT team, will be asked to:

Configure your IdP with Overleaf's SAML metadata. All authenticated users should be authorized to access the Overleaf application, and the attributes described on this page should be released.
Provide your IdP's metadata to the Overleaf onboarding team and identify which attributes will be used.
Assist with testing the trust relationship and verifying that the expected attributes are being sent.

Once the configuration is complete and tested, the Service Provider side of the configuration is reviewed by the Overleaf engineering team. SSO is then enabled when the subscription itself is enabled.

Required attributes

We ask you to provide attributes as follows:

A unique, persistent, non-reassigned user identifier. Typically this is ‘eduPersonPrincipalName’, provided it is unique, persistent, and non-reassigned, but it can be any ID field that meets those requirements.
An organization/institution email address. This identifies the user's affiliation in our system and may be used to provide notifications, such as invitations to their collaborators' projects. Usually, this is the ‘mail’ attribute.
First and last name attributes (optional). These attributes are used to initialize the user's account information, which can be updated by the user at any time.
An entitlement attribute (not always required). The value provided in this attribute can be used to identify users that should be placed on the subscription.

Authorization and entitlement

In almost all cases, all authenticated users should be authorized to access the Overleaf service. This allows users who are not participating in the subscription to continue to access the service but remain on the free plan. Subscription enrollment can be restricted by defining a user group through your IdP-provided tools. Group membership status can be sent to Overleaf as part of the SAML data during user authentication.

Updating the SSO Configuration

If any updates to the SSO configuration are required, including the provision of new certificates, please contact Overleaf Support.

PreviousSingle sign-on (SSO)NextUser log in options

Last updated 4 months ago

Was this helpful?

Configuration process

The SSO configuration process will be explained during your onboarding. You, or someone from your IT team, will be asked to:

Configure your IdP with Overleaf's SAML metadata. All authenticated users should be authorized to access the Overleaf application, and the attributes described on this page should be released.

Provide your IdP's metadata to the Overleaf onboarding team and identify which attributes will be used.

Assist with testing the trust relationship and verifying that the expected attributes are being sent.

Required attributes

We ask you to provide attributes as follows:

A unique, persistent, non-reassigned user identifier. Typically this is ‘eduPersonPrincipalName’, provided it is unique, persistent, and non-reassigned, but it can be any ID field that meets those requirements.

An organization/institution email address. This identifies the user's affiliation in our system and may be used to provide notifications, such as invitations to their collaborators' projects. Usually, this is the ‘mail’ attribute.

First and last name attributes (optional). These attributes are used to initialize the user's account information, which can be updated by the user at any time.

An entitlement attribute (not always required). The value provided in this attribute can be used to identify users that should be placed on the subscription.

Authorization and entitlement