Overleaf Commons supports a standard SAML single sign-on (SSO) configuration.

With Overleaf Commons SSO, new users can create their Overleaf accounts and enrol in the subscription (if eligible) by logging in with SSO. Users who already have an Overleaf account can link their SSO identity to their existing Overleaf account and join the subscription if eligible. We recommend that all authenticated users at an institution be authorized to log in to Overleaf, and if there are restrictions on which users should be added to the subscription, users' entitlements can be verified using data sent at log in time.

Users can log in to their Overleaf accounts with SSO either through your portal page or our main SSO login page.

Overleaf Commons provides a standard SAML-based single sign-on (SSO) option which requires your Identity Provider (IdP) to return a small set of SAML attributes to associate users with their Overleaf accounts and verify their participation in the subscription.

We're a registered Service Provider in UKAMF. Our SAML metadata is available from UKAMF, other affiliated federations, and online.

Configuration process

The SSO configuration process will be explained during your onboarding. You, or someone from your IT team, will be asked to:

1. Configure your IdP with Overleaf's SAML metadata. All authenticated users should be authorized to access the Overleaf application, and the attributes described on this page should be released.

2. Provide your IdP's metadata to the Overleaf onboarding team and identify which attributes will be used.

3. Assist with testing the trust relationship and verifying that the expected attributes are being sent.

Once the configuration is complete and tested, the Service Provider side of the configuration is reviewed by the Overleaf engineering team. SSO is then enabled when the subscription itself is enabled.

Required attributes

We ask you to provide attributes as follows:

• A unique, persistent, non-reassigned user identifier. Typically this is ‘eduPersonPrincipalName’, provided it is unique, persistent, and non-reassigned, but it can be any ID field that meets those requirements.

• An organization/institution email address. This identifies the user's affiliation in our system and may be used to provide notifications, such as invitations to their collaborators' projects. Usually, this is the ‘mail’ attribute.

• First and last name attributes (optional). These attributes are used to initialize the user's account information, which can be updated by the user at any time.

Authorization and entitlement

In almost all cases, all authenticated users should be authorized to access the Overleaf service. This allows users who are not participating in the subscription to continue to access the service but remain on the free plan. Subscription enrollment can be restricted by defining a user group through your IdP-provided tools. Group membership status can be sent to Overleaf as part of the SAML data during user authentication.

Updating the SSO Configuration

If any updates to the SSO configuration are required, including the provision of new certificates, please .

What is Overleaf Commons?

Overleaf Commons allows universities and organizations to provide access to Overleaf premium features across an entire campus or company, or to specific groups.

An Overleaf Commons subscription includes a custom portal, automatic validation and upgrade of eligible users, and an administrator hub and metrics to allow institutions to monitor the usage of their Commons subscription.

Enrollment in an Overleaf Commons subscription happens when a user confirms their institutional affiliation and eligibility. For Commons subscriptions that use single sign-on enrollment, the eligibility of authorized users is checked using entitlement data that is sent to Overleaf when the user logs in with SSO. For domain-based enrollment, users are added to the subscription when they confirm an institutional email address that has an entitled institutional domain.

Getting Overleaf Commons

Overleaf Commons is already available at and organizations. If your organization doesn't have an Overleaf Commons subscription but would like one,.

If you have further technical questions that aren't answered on these pages,

Overleaf Commons subscriptions are set up in collaboration with members of the Overleaf Support and Success teams. As part of the onboarding process, the Overleaf Support team will provide technical assistance and help with single sign-on and portal setup. Once the subscription is enabled, the Overleaf Success team will give an overview of the subscription's usage metrics and provide additional resources and information.

The setup process

Do you support SCIM?

System for Cross-domain Identity Management (SCIM), is a standard for automation of user provisioning. Because your system will not be provisioning users in Overleaf, SCIM is neither supported nor required. Individual users own their Overleaf accounts, these may be provisioned by the users before joining the subscription and can be retained by them after they leave.

Do you support Just in Time (JIT) Provisioning of user accounts?

Yes. If a user signs in via SSO and their SSO identifier does not match one in our system they can either (a) provision a new account or (b) identify an existing account under a different email that should be associated with the SSO identity.

Do you support IDP initiated authentication flows?

No, Overleaf only directly supports SP initiated flows for authentication. We do provide a url that may be provided to your users that can simulate an IDP initiated flow.

Overleaf Commons subscription includes a customized portal page where your users can find out more and join the subscription, view relevant templates, and access help resources. During onboarding, we work with you to customize your portal with text, images, and templates for your users.

Example of a custom portals can be found on our .

Portal pages typically include these sections: an Overview, the Quick Start section, a list of Featured Templates, and an FAQ & Help section.

• The Overview describes who the subscription is for, which could include all students and staff, or which might be restricted to a particular set of departments or roles. The Overview may state who is providing the subscription, particularly if it is sponsored by a university library or particular faculty. Overviews can optionally point to other pages hosted by the institution, which may provide additional information or reminders about information technology policies.

User account provisioning

Overleaf users provision their own Overleaf accounts and can either join an Overleaf Commons subscription with an existing Overleaf account or create a new account to join the subscription.

People who don't already have an Overleaf account can create a new account on the main or your own .

User enrollment

Overleaf Commons enrollment is based on the user being affiliated with your organization as indicated by a confirmed organization email address. Additional entitlement criteria can be applied (to limit the subscription to specific faculties, departments, or roles) in cases where has been configured.

Overleaf identifies user affiliation based on email addresses and we maintain a list of domains known to be associated with an organization to enable this. During the onboarding process, customers are asked to confirm the domains that are associated with their organization and are asked to notify Overleaf Support of any domain changes.

Non-SSO enrollment

If you don't provide SSO, a user's affiliation and enrollment in the subscription are based on their ability to confirm a valid organization email address. When a user adds an email address to their Overleaf account, they're sent an email and code that can be used to confirm their address.

All users with a valid email address belonging to your identified domains will be able to join the subscription. Overleaf Commons subscriptions that do not use SSO can only be restricted based on email domain, no other criteria can be applied.

See our for instructions on adding email addresses to an Overleaf account.

SSO enrollment

If you have with your subscription, this is used to confirm a user's affiliation. The data that is sent with the authentication response to Overleaf will indicate if the user should be enrolled in the Commons subscription, or if their account should remain on the free plan or their own subscription.

Answers to some common user issues

A user is not seeing their account upgraded.

For non-SSO subscriptions, enrollment in the subscription is based on the user confirming their email address and that email address having a domain that is recognized as part of the subscription. Users must confirm the email address on their Overleaf account to join the subscription. For SSO-based subscriptions, users must confirm their affiliation and eligibility by logging in to their Overleaf account via SSO. Users who encounter a problem in attempting to do this should .

A user is not receiving an address confirmation email.

Confirmation emails sometimes end up in a user's spam or junk folder, or in some cases may be blocked by the organization's mail server after having been incorrectly flagged as spam. Users should check any spam folders that they have access to and check with your IT Services team that they can receive emails from [email protected]. Users who encounter problems here are encouraged to .

A user is seeing a "something went wrong" message when logging in with SSO.

This indicates a problem in processing the SAML response for the user's authentication request. This may be a problem with particular user data or may indicate a more general problem, such as an expired certificate. Please if this error is observed, our team will check the logs and identify the source of the problem.

When SSO is enabled, there are a few login options for your users.

• Log in from the Overleaf login page, which includes a link to When a user provides an email with a recognized domain, we will automatically direct them to the institutional SSO portal.

• Log in from your Overleaf portal page, which will include a direct login link.

• If your institution has a console or other login page, we can provide a link that will facilitate the login process from your side.

Your Admin Hub displays data about users at your institution and their usage of Overleaf. Managers of the subscription can view the Admin Hub and metrics, and can invite other users to be managers. To access all these features, visit your subscription page and click through the View Admin Hub option.

Accessing your user list

The Admin Hub allows subscription managers to download a user list file (users.csv) that provides useful information about users that are currently affiliated with the institution and who are participating in the Overleaf Commons subscription.

To download a list of users, click the Download CSV link at the bottom of the page:

The users.csv file has several columns which are explained in the following sections.

user_id

Unique ID of the user.

You may notice that some user IDs appear twice in this list. This is because this list is a list of email addresses, rather than users -- therefore, users who have added more than 1 institutional email address are included more than once in the list.

We refer to it as the list of users for simplicity, but please keep in mind that there may be some duplicates.

email

The institutional email address of the user. They may have other email addresses on their account, for example, personal ones; these will not appear in this file.

role

The role the user has chosen on their Account Settings page. Users can select a role from a default list, or enter their own.

department

The department the user has chosen on their Account Settings page. They can select a department from a default list or from a department list provided to us during onboarding, or enter their own if they wish.

created_at

This is the date the user registered for their Overleaf account.

last_logged_in_at

This is the date they last logged in to Overleaf. Because Overleaf has five-day rolling sessions, very active users who access the service frequently from the same device may not need to log in often. Compare this value with last_active_at if you are evaluating the Overleaf usage of a particular user.

license

This states whether the user is entitled to and participates in the institutional subscription.

For institutions without SSO enabled, all users in the CSV list are eligible for the subscription, and therefore all have a value of TRUE in this column.

For institutions with SSO enabled, the user list may have users with either FALSE or TRUE values.

Users listed as license FALSE will include:

• Users who added their institutional email address but never linked their account via SSO. Some of these could be active but not yet linked, and others may be users who have left the institution.

• Users who have linked their account via SSO but are not eligible to participate in the subscription, usually because the subscription is restricted to certain departments or schools.

Users who are showing as FALSE may be on an individual subscription, a group subscription, or the free plan.

Note that if users have multiple email addresses at the institution and use them in their Overleaf account, they can only link one email via SSO. Therefore, because this is a list of email addresses rather than user accounts, you will see their other email address(es) in this list, and since these do not entitle them to the subscription, they would have a value of FALSE.

Users listed as license TRUE will be users who have linked their account via SSO and are eligible for and participating in the subscription.

sso_identifier

If SSO is enabled, this is the user's SSO identifier. This is a unique, persistent, and non-reassignable identifier that is sent to Overleaf for each user when they log in, and is used by Overleaf to look up the user account. This attribute may correspond to a particular field in your identity system, but this is opaque to Overleaf (our system is unaware of the meaning of the identifier that is sent). The field sent to Overleaf was decided in consultation with your IT services team when the subscription was set up, and it cannot be changed.

last_active_at

This is the date the user last opened a project in Overleaf.

You can access a metrics page that provides insights into how people are using Overleaf at your organization.

Date ranges

The date range for the metrics defaults to the last 30 days, displayed by day. You can change this to any date range, displayed by day, week, or month, by clicking on the date range and selecting a new one. This option is on the top right-hand side of the Metrics page.

Understanding the metrics

Each visualization on the metrics page includes a tooltip that provides more information about the displayed graph. When looking at each plot, mouse over the (?) to see tooltips.

You can also mouse over the plots for additional information and control which categories you see by clicking on the legend.

Downloading metrics data

The data provided on the metrics page can be downloaded using the Download CSV option on the Metrics page. The data available here is aggregate data. High-level user access data can be downloaded from the Admin Hub page ad described in .

Types of metrics available

Overleaf Commons is a fully managed service. Users provision their own user accounts, and any changes to the subscription are facilitated by Overleaf support.

An Overleaf Commons customer will designate some users at the institution to be subscription managers, who can access data about the subscription. An initial set of subscription managers will be designated when the subscription is set up. Existing managers can add or remove other managers from the managers list on their Subscription page under "Managed institution managers."

Subscription managers will have access to an , where you can get a snapshot of recent subscription use and download a complete user list. There are also available on the metrics page.

Understanding how users join or leave a subscription

The following pages will help you understand how your users enroll or unenroll from an Overleaf subscription.

User self-unenrollment

Users can leave an Overleaf Commons subscription without affecting the contents of their Overleaf account. All Overleaf accounts in an Overleaf Commons subscription are portable, and can freely leave the subscription to be on the free plan or to join another subscription.

Users can self-unenroll from the Overleaf Commons subscription by removing their institutional email address from their Overleaf account. Removing an institutional email address will unlink the SSO login that is associated with that address.

Primary and secondary email addresses

All users on Overleaf Commons subscriptions are encouraged to add a personal email address to their Overleaf account as a secondary email address. When they leave, they should make this their primary address instead to ensure they keep access to their account.

See our for instructions on managing email addresses and login options.

Reconfirmation and automatic unenrollment

To remain enrolled in your subscription, users must periodically reconfirm their institutional affiliation, a process that also validates their eligibility for the Overleaf Commons subscription.

Users who don't do this, or who are unable to reconfirm their institutional affiliation, will be removed from the subscription. Removing a user from the subscription doesn't affect their ability to access their Overleaf account, which will revert to the free plan.

When a user needs to reconfirm, they will see a prompt on their Overleaf account settings page and a notification on their project dashboard. Reconfirming their institutional email address and affiliation will allow them to remain on the subscription until the next reconfirmation is required. Common user questions about reconfirmation are answered in our .

Non-SSO reconfirmation

If you don't provide SSO, users reconfirm their affiliation by requesting that a confirmation email be sent to their affiliated email address. Their affiliation is reconfirmed by following the instructions provided in the email that is sent to them.

SSO reconfirmation

For institutions that provide SSO, users automatically reconfirm their affiliation each time they log in with SSO. This means that in most cases, users never see a reconfirmation prompt because they are automatically reconfirmed with each login.