This feature is only available to organization owners and administrators.
Zulip supports using SAML authentication for single sign-on, both for Zulip
Cloud and self-hosted Zulip servers. SAML Single Logout is also supported.
This page describes how to configure SAML authentication with several common providers:
Okta
OneLogin
AzureAD
Keycloak
Auth0
Other SAML providers are supported as well.
If you are self-hosting Zulip, please follow the detailed setup instructions in
the SAML configuration for self-hosting. The documentation
on this page may be a useful reference for how to set up specific SAML
providers.
Zulip Cloud customers who wish to use this feature must upgrade to
the Zulip Cloud Plus plan.
Configure SAML
Okta
OneLogin
AzureAD
Keycloak
Auth0
Make sure your Zulip Cloud organization is on the Zulip Cloud
Plus plan.
Set up SAML authentication by following
Okta's documentation.
Specify the following fields, skipping Default RelayState and Name ID format:
Single sign on URL: https://auth.zulipchat.com/complete/saml/
Audience URI (SP Entity ID): https://zulipchat.com
Application username format: Email
Attribute statements:
email to user.email
first_name to user.firstName
last_name to user.lastName
Assign the appropriate accounts in the Assignments tab. These are the users
that will be able to log in to your Zulip organization.
If you are using Zulip Cloud, we'll take it from here! Please e-mail
support@zulip.com with the following information:
Your organization's URL
The Identity Provider metadata provided by Okta for the application.
To get the data, click the View SAML setup instructions button in
the right sidebar in the Sign on tab.
Copy the IdP metadata shown at the bottom of the page.
How you would like the Zulip log in button to be labeled: “Log in with...”
(optional) An icon to use on the log in button
Make sure your Zulip Cloud organization is on the Zulip Cloud
Plus plan.
Navigate to the OneLogin Applications page, and click Add App.
Search for the SAML Custom Connector (Advanced) app and select it.
Set a name and logo and click Save. This doesn't affect anything in Zulip,
but will be shown on your OneLogin Applications page.
In the Configuration section, specify the following fields. Leave the
remaining fields as they are, including blank fields.
In the Parameters section, add the following custom parameters. Set the
Include in SAML assertion flag on each parameter.
Field name
Value
email
Email
first_name
First Name
last_name
Last Name
username
Email
If you are using Zulip Cloud, we'll take it from here! Please e-mail
support@zulip.com with the following information:
Your organization's URL
The issuer URL from the SSO section. It contains required Identity Provider metadata.
How you would like the Zulip log in button to be labeled: “Log in with...”
(optional) An icon to use on the log in button
Make sure your Zulip Cloud organization is on the Zulip Cloud
Plus plan.
From your AzureAD Dashboard, navigate to Enterprise applications,
click New application, followed by Create your own application.
Enter a name (e.g., Zulip Cloud) for the new AzureAD application,
choose Integrate any other application you don't find in the
gallery (Non-gallery), and click Create.
From your new AzureAD application's Overview page that opens, go to
Single sign-on, and select SAML.
In the Basic SAML Configuration section, specify the following fields:
Identifier (Entity ID): https://zulipchat.com
Default: checked (This is required for enabling IdP-initiated sign on.)
Reply URL (Assertion Consumer Service URL): https://auth.zulipchat.com/complete/saml/
If you want to set up IdP-initiated sign on, in the Basic SAML
Configuration section, also specify:
Check the User Attributes & Claims configuration, which should already be
set to the following. If the configuration is different, please
indicate this when contacting support@zulip.com
(see next step).
givenname: user.givenname
surname: user.surname
emailaddress: user.mail
name: user.principalname
Unique User Identifier: user.principalname
If you are using Zulip Cloud, we'll take it from here! Please e-mail
support@zulip.com with the following information:
Your organization's URL
From the SAML Signing Certificate section:
App Federation Metadata Url
Certificate downloaded from Certificate (Base64)
From the Set up section
Login URL
Azure AD Identifier
How you would like the Zulip log in button to be labeled: “Log in with...”
(optional) An icon to use on the log in button
Make sure your Zulip Cloud organization is on the Zulip Cloud
Plus plan.
Make sure your Keycloak server is up and running.
In Keycloak, register a new Client for your Zulip organization:
Client-ID: https://zulipchat.com
Client Protocol: saml
Client SAML Endpoint: (empty)
In the Settings tab for your new Keycloak client, set the following properties:
Valid Redirect URIs: https://auth.zulipchat.com/*
Base URL: https://auth.zulipchat.com/complete/saml/
Client Signature Required: Disable
In the Mappers tab for your new Keycloak client:
Create a Mapper for the first name:
Property: firstName
Friendly Name: first_name
SAML Attribute Name: first_name
SAML Attribute Name Format: Basic
Create a Mapper for the last name:
Property: lastName
Friendly Name: last_name
SAML Attribute Name: last_name
SAML Attribute Name Format: Basic
Create a Mapper for the email address:
Property: email
Friendly Name: email
SAML Attribute Name: email
SAML Attribute Name Format: Basic
If you are using Zulip Cloud, we'll take it from here! Please e-mail
support@zulip.com with the following information:
Your organization's URL
The URL of your Keycloak realm.
How you would like the Zulip log in button to be labeled: “Log in with...”
(optional) An icon to use on the log in button
Your Keycloak realm URL will look something like this: https://keycloak.example.com/auth/realms/yourrealm.
Make sure your Zulip Cloud organization is on the Zulip Cloud
Plus plan.
Set up SAML authentication by following Auth0's documentation
to create a new application. You don't need to save the certificates or other information detailed.
All you will need is the SAML Metadata URL.
In the Addon: SAML2 Web AppSettings tab, set the Application Callback URL to
https://auth.zulipchat.com/complete/saml/.