At a glance
Single Sign-On (SSO) is an authentication process that allows users to access multiple applications with a single set of login credentials. Instead of managing separate usernames and passwords, employees sign in once through a trusted identity provider (IdP). This reduces password fatigue, improves security, and simplifies compliance management. NEXT AI supports Security Assertion Markup Language (SAML 2.0) for Single Sign-On.
NEXT AI’s SSO Support with SAML
NEXT AI supports Security Assertion Markup Language (SAML 2.0) for Single Sign-On. SAML is an industry-standard protocol for exchanging authentication and authorization data between an identity provider and a service provider. With SAML-based SSO, enterprise users can securely authenticate to NEXT AI using their existing corporate identity systems.
Supported Identity Providers
NEXT AI integrates with major enterprise identity providers, including:
Okta
Azure Active Directory (Entra ID)
Google Workspace
OneLogin
Ping Identity
Benefits for Enterprises
Stronger security through centralized identity management
Reduced password-related risks and IT support tickets
Faster onboarding and off-boarding with automated account provisioning
Improved compliance with enterprise security policies
Benefits for Users
Users can use their existing company credential to access NEXT AI
Reduced password-related risks
Login flow with SSO
Administrators can configure SAML SSO in the Settings & Members
> SSO
by exchanging metadata with the chosen identity provider. Once enabled, users are redirected to the corporate login page for authentication before accessing NEXT AI.
Log in with SSO
becomes available on the login page of the workspaceClicking
Log in with SSO
will forward the user to the organization's identity provider (e.g. Active Directory)The identity provider authenticates the user and sends the user back to NEXT AI
NEXT AI checks if the authenticated already has an account. If not, a new account is created on the fly. This provides seamless access
The user is logged into NEXT AI
How to set up SSO (step-by-step guide)
Follow these steps to enable SAML SSO:
Step 1 : Find SAML input
Log into NEXT with an Administrator account and go to Settings & Members
> SSO
. Copy the various inputs, like Entity ID
, that you will need to set up your identity provider. For example:
Step 2 : Configure your identity provider
Step 2.1 : Create application in your identity provider
Set up an application for NEXT AI in your identity provider (e.g. Microsoft's Azure Active Directory). Use above input value for "Entity ID", "Reply URL", etc.
Configure the application logo so that users can identify the application in the application directory (please find the logo attached to this article)
Here an example from Azure Active Directory:
Step 2.2 – Configure the claims provided by the identity provider to NEXT AI
Claim | Contents | Required? |
NameID | Unique identifier. This must use the "persistent SAML Name ID format." | Required |
role | Initial user role in the NEXT application Each user must have exactly one of the available roles: admin, user, guest This value is only used when initially provisioning a user, afterwards, the user role can be adjusted through NEXT's administrative interface | Optional (default is "user") |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Email address of the user for receiving mails. This should be in the regular RFC822 format ( | Required |
Here an example from Azure ActiveDirectory (AD):
Step 2.3 – Assign the users that should be able to use NEXT AI to the application
Step 3 – Enter metadata URL in NEXT AI
Get the "Federation Metadata URL" for the application from your identity provider, e.g. for Azure Active Directory:
Copy the metadata URL in the NEXT SSO configuration page.
Please inform NEXT AI if you wish migrate any non-SSO users to SSO (see below section on "Migrate existing non-SSO users to SSO").
Migrate existing non-SSO users to SSO
If you enable SSO after having uses NEXT AI for a while, you may already have users with a NEXT AI account that you'll want to migrate to log in with SSO instead of email/password.
In a nutshell: Without SSO, users prove that they own their NEXT AI account by typing in their email/password. With SSO, users prove ownership via a token granted by the SSO IdP, showing that they own the email address associated to the NEXT AI account. This means if a user logs in via SSO: NEXT checks if there is already an existing NEXT AI account with the same email address. If so, it binds the existing NEXT account to the SSO identity. If not, a new NEXT AI account is created for the user.
Before moving to SSO, please validate the email addresses of all users in the Settings & Members
. User email addresses in NEXT AI directory must match the ones registered in their SSO identity.
Additional Considerations
Combining SSO-Only or SSO+non-SSO?
By default, NEXT AI manages users in a user directory for you, and you can add SSO as an additional sign-in option for your users. Any existing users can use the user directory, and newly invited users will be added to the NEXT AI user directory.
Depending on the particular details of your organization however, it could be required to enforce the use of SSO. In this case, users must authenticate through your identity provider. The "Invite user" functionality can be used to send out invitation links to new users (taking into account any configured Signup domain restrictions), but whether the user can accept the invitation depends on whether the account of the user in the identity provider has been configured to allow access to NEXT.
Note that the invitation emails right now do not indicate a SSO-only environment, and will contain a generic "Signup" link.
Note that this will impact also accounts that you might have created for NEXT's Customer Success/Support. There are different options to ensure smooth interactions with NEXT in a SSO-only setup:
You can add the NEXT account to your SSO IdP.
You can sign up for a free NEXT instance and reproduce the issue there. This can then be share with NEXT Support.
You can organize a screen share session with NEXT Customer Success and a user who has SSO access.
SP-Initiated or IdP-Initiated Sign-In
NEXT AI assumes an SP-initiated sign-in, i.e. users go to NEXT AI via https://TENANT.nextapp.co, and from there get pointed to the IdP for signing in.
Right now it is not possible to configure the application for a pure IdP-initiated sign-in experience due to technical limitations. In case IdP-initiated sign-in is needed (for example for an application directory for users), the application in the directory should be configured to go to the https://TENANT.nextapp.co URL.
Role Management
NEXT user roles are managed inside the NEXT AI administrator interface for existing (and invited) users. If the IdP includes role
claim in the token for a new user NEXT AI will assign this role to the user. Changing the role
claim for an existing user will not propagate the changed role to NEXT AI.
Signing and Token encryption
NEXT AI does not support signing (AuthnRequestsSigned
and WantAssertionsSigned
in the SP SSO descriptor) nor token encryption.
Federation Metadata URL or file?
Typically the federation metadata can be exported from the IdP either as a XML file, or as a "live URL". NEXT AI generally prefers a live URL, as that means we are not coupled to (nor do we need to be involved) when the enterprise needs to change the metadata. The IdP is already accessible through the internet, so this generally should not be a problem. If there are concerns about exposing the metadata through a public URL, please do contact Customer Success.
FAQ
Q: Does NEXT AI support Single Sign-On (SSO)?
Yes, NEXT AI supports Single Sign-On using the SAML 2.0 standard, allowing users to log in with their existing enterprise identity provider.
Q: Which identity providers are compatible with NEXT AI’s SSO?
NEXT AI integrates with Okta, Azure AD (Entra ID), Google Workspace, OneLogin, Ping Identity, and other SAML-compliant IdPs.
Q: How do I enable SSO in NEXT AI?
Administrators can configure SAML SSO by uploading metadata from the identity provider to the NEXT AI Settings & Members
> SSO
. Detailed setup guides are available for Okta, Azure, and Google Workspace.
Q: Is SAML the only SSO protocol supported by NEXT AI?
Yes, NEXT AI currently supports SAML 2.0 for enterprise-grade authentication. Other protocols like OAuth and OpenID Connect are not supported for SSO login.
Q: What is the difference between SSO and passwordless authentication in NEXT AI?
SSO relies on your company’s identity provider to authenticate users across multiple applications. Passwordless authentication is NEXT AI's default authentication mechanism which removes the need for a password but still requires a unique login per user account.
Q: Can I enforce SSO for all NEXT AI users in my organization?
Yes, administrators can mandate SAML SSO as the exclusive login method for all users within their tenant.
Q: Does SSO improve compliance for enterprises?
Yes, SSO centralizes authentication, supports audit logging, and reduces the risk of credential misuse — aligning with best practices recommended by NIST and Gartner.