Custom SAML for the Nylas Dashboard

This is for Dashboard organization login. If you want to let your app’s end users authenticate with an external IdP, see Nylas Connect external IdP instead.

Where to find SAML settings: In the Nylas Dashboard, click your organization name in the top-left, then go to Settings in the sidebar. Select the SAML SSO tab (direct link: dashboard-v3.nylas.com/organization/settings/identity).

You must have Admin or Owner access to see this tab.

This guide covers the second step of the SAML SSO wizard: exchanging service provider (SP) details with your IdP to establish the SAML trust. You must verify your company domain first before this step unlocks.

For IdP-specific click-throughs, see the Okta SAML guide or the Google Workspace SAML guide.

Service provider values

To find these values, go to Settings > SAML SSO in the Nylas Dashboard, then expand the Connect your identity provider step. The SP values appear under Service provider details for your IdP.

Nylas SP value	Where to paste it in your IdP
Metadata URL	Import metadata URL (if your IdP supports it; this imports SP Entity ID and ACS URL automatically)
SP Entity ID	Audience URI, Audience Restriction, or Identifier (Entity ID)
ACS URL	Single sign-on URL, Reply URL, or Assertion Consumer Service URL

Use the metadata URL when your IdP supports it. It imports both the Entity ID and ACS URL in one step, and Nylas keeps it current if values change.

Required SAML attributes

Your IdP must send the following attributes in the SAML assertion:

Attribute	Required	Notes
NameID (email format)	Yes	The user’s work email address. This is how Nylas identifies the user.
groups	Only for role mapping	A multi-value attribute listing the user’s IdP group names. Required if you configure group-to-role mapping in step 3. Nylas only updates roles on login when mappings exist and the assertion includes at least one group value.

Other attributes in the assertion are ignored.

Custom SAML

1. Open Organization settings > SAML SSO in the Nylas Dashboard.
2. Expand the Connect your identity provider step.
3. Under Service provider details for your IdP, copy the Metadata URL, SP Entity ID, and ACS URL (use the Copy button next to each value).
4. In your IdP, create a new SAML 2.0 application (the exact path varies by IdP). Paste the SP values from step 3. If your IdP supports importing from a metadata URL, paste the Metadata URL to fill both SP Entity ID and ACS URL automatically.
5. Configure the NameID to send the user’s email address in EmailAddress format.
6. If you plan to use group-to-role mapping, add a groups attribute that sends the user’s group memberships.
7. Complete the IdP app setup and download or copy your IdP’s metadata XML (or metadata URL).
8. Back in the Nylas Dashboard, scroll to Identity provider metadata. Paste the IdP metadata XML into the IdP Metadata XML field, or click Upload XML file to load it from disk. Click Save configuration.

After saving, the Connected IdP card shows the extracted SSO URL and Entity ID to confirm the metadata was parsed correctly.

Test SAML login

After saving the IdP configuration:

1. Open a private or incognito browser window.
2. Go to the Nylas Dashboard login page.
3. Enter an email address on your verified domain and click Continue.
4. You should be redirected to your IdP’s login page.
5. Sign in with the IdP account.
6. On success, you land back in the Nylas Dashboard.

If login fails, see Troubleshooting.

What’s next

• Manage user access: Configure JIT provisioning, default role, and group-to-role mapping in step 3 of the wizard.
• Require SAML sign-in: Enforce SSO for all users on verified domains once you confirm login works.