Use SAML SSO to let your organization members sign in to the Nylas Dashboard with your company identity provider (IdP), such as Okta or Google Workspace. Once configured, your team logs in through your existing corporate accounts instead of separate Nylas passwords.
SAML SSO vs. Nylas Connect external IdP
Section titled “SAML SSO vs. Nylas Connect external IdP”These are two different features that are easy to confuse:
| Dashboard SAML SSO | Nylas Connect external IdP | |
|---|---|---|
| Who signs in | Your organization members | Your app’s end users |
| Purpose | Access the Nylas Dashboard | Connect email/calendar grants |
| Where to configure | Org settings > SAML SSO | App > Hosted Authentication > Identity Providers |
| Guide | This page | Nylas Connect external IdP |
Key concepts
Section titled “Key concepts”IdP (Identity Provider): The service that manages your users and authenticates them. Examples: Okta, Google Workspace, Microsoft Entra ID.
SP (Service Provider): The application users are logging in to. In this context, the Nylas Dashboard is the SP.
ACS URL (Assertion Consumer Service URL): The endpoint on the Nylas side where your IdP sends the SAML response after a user authenticates. Shown in the Dashboard wizard.
Entity ID: A unique identifier for the Nylas SP. Paste this into your IdP when creating the SAML app.
Metadata XML: An XML document that describes a SAML party (IdP or SP). Exchanging metadata between Nylas and your IdP sets up the trust relationship.
JIT provisioning (Just-in-time provisioning): Automatically creates a Dashboard account for a user the first time they sign in via SAML, without a separate invitation.
HRD (domain-based IdP routing): The mechanism that detects, from a user’s email domain, which IdP to redirect them to.
How SAML login works
Section titled “How SAML login works”After setup, login for a user on a verified domain looks like this:
- User enters their work email on the Nylas Dashboard login page and clicks Continue.
- Nylas detects the verified domain and redirects to your IdP.
- The user authenticates with your IdP (password, MFA, etc.).
- The IdP sends a signed SAML assertion back to Nylas.
- Nylas validates the assertion and creates (or updates) a Dashboard session.
- The user lands in the Dashboard. On first login with JIT provisioning enabled, a new account is created automatically.
Before you begin
Section titled “Before you begin”- You need Admin or Owner access on the Nylas organization. Members and Support roles can view organization settings but cannot configure SAML SSO.
- Your IdP must support SAML 2.0.
- You must be able to add a DNS TXT record for the domain your team uses for email.
- SAML SSO is configured in the Nylas Dashboard under Settings > SAML SSO (or go directly to dashboard-v3.nylas.com/organization/settings/identity).
Set up SAML SSO
Section titled “Set up SAML SSO”The SAML SSO settings page uses an accordion with four steps. Click a step to expand it. Locked steps stay collapsed until the previous step is complete. Completed steps show a green checkmark and can be reopened at any time.
- Verify your company domain: Click Add your company domain, add a DNS TXT record to prove you control the email domain your team uses, then click Verify. SAML setup unlocks after at least one domain is verified.
- Connect your identity provider: Copy the Nylas service provider (SP) details from the Dashboard into your IdP app, then paste or upload your IdP metadata XML back into Nylas. See Custom SAML for details.
- Manage user access: Choose whether new users are created automatically on first sign-in (JIT provisioning), set a default Dashboard role, and optionally map IdP groups to roles (
user,admin, orsupport_logs). Theownerrole cannot be assigned through group mapping. Role updates on login only run when group mappings are configured and the SAML assertion includes agroupsattribute. - Require SAML sign-in: After you confirm SAML works, optionally require SSO for everyone on your verified domains. Password and social login are blocked for those users when enforcement is on. Organization owners retain password access as a break-glass measure.
Removing the last verified domain automatically deletes the SAML configuration and turns off SSO enforcement. If SAML is still connected but no verified domain remains, the domain step shows a warning with a Remove SAML configuration button.
Supported identity providers
Section titled “Supported identity providers”Any IdP that supports SAML 2.0 works with the Nylas Dashboard. Setup guides are available for the most common ones:
| Identity provider | Guide |
|---|---|
| Google Workspace | Google Workspace SAML setup guide |
| Okta | Okta SAML setup guide |
| Microsoft Entra ID (Azure AD) | Coming soon |
For all other SAML 2.0 IdPs, follow the Custom SAML guide.
What’s next
Section titled “What’s next”- Custom SAML: SP field values, metadata exchange, required attributes.
- Troubleshooting: Fix common setup and login errors.
- Organization members and roles: Understand how roles apply before setting group mappings.