Single Sign-On (SSO) is an authentication process that allows users to access multiple applications with a single set of login credentials. Instead of managing separate usernames and passwords, employees sign in once through a trusted identity provider (IdP). This reduces password fatigue, improves security, and simplifies compliance management. NEXT AI supports Security Assertion Markup Language (SAML 2.0) for Single Sign-On.

NEXT AI supports Security Assertion Markup Language (SAML 2.0) for Single Sign-On. SAML is an industry-standard protocol for exchanging authentication and authorization data between an identity provider and a service provider. With SAML-based SSO, enterprise users can securely authenticate to NEXT AI using their existing corporate identity systems.

NEXT AI integrates with major enterprise identity providers, including:

Administrators can configure SAML SSO in the Settings & Members > SSO by exchanging metadata with the chosen identity provider. Once enabled, users are redirected to the corporate login page for authentication before accessing NEXT AI.

Follow these steps to enable SAML SSO:

Log into NEXT with an Administrator account and go to Settings & Members > SSO. Copy the various inputs, like Entity ID, that you will need to set up your identity provider. For example:

Here an example from Azure Active Directory:

Here an example from Azure ActiveDirectory (AD):

Get the "Federation Metadata URL" for the application from your identity provider, e.g. for Azure Active Directory:

Copy the metadata URL in the NEXT SSO configuration page.

If you enable SSO after having uses NEXT AI for a while, you may already have users with a NEXT AI account that you'll want to migrate to log in with SSO instead of email/password.

In a nutshell: Without SSO, users prove that they own their NEXT AI account by typing in their email/password. With SSO, users prove ownership via a token granted by the SSO IdP, showing that they own the email address associated to the NEXT AI account. This means if a user logs in via SSO: NEXT checks if there is already an existing NEXT AI account with the same email address. If so, it binds the existing NEXT account to the SSO identity. If not, a new NEXT AI account is created for the user.

Before moving to SSO, please validate the email addresses of all users in the Settings & Members. User email addresses in NEXT AI directory must match the ones registered in their SSO identity.

By default, NEXT AI manages users in a user directory for you, and you can add SSO as an additional sign-in option for your users. Any existing users can use the user directory, and newly invited users will be added to the NEXT AI user directory.

Depending on the particular details of your organization however, it could be required to enforce the use of SSO. In this case, users must authenticate through your identity provider. The "Invite user" functionality can be used to send out invitation links to new users (taking into account any configured Signup domain restrictions), but whether the user can accept the invitation depends on whether the account of the user in the identity provider has been configured to allow access to NEXT.

NEXT AI assumes an SP-initiated sign-in, i.e. users go to NEXT AI via https://TENANT.nextapp.co, and from there get pointed to the IdP for signing in.

Right now it is not possible to configure the application for a pure IdP-initiated sign-in experience due to technical limitations. In case IdP-initiated sign-in is needed (for example for an application directory for users), the application in the directory should be configured to go to the https://TENANT.nextapp.co URL.

NEXT user roles are managed inside the NEXT AI administrator interface for existing (and invited) users. If the IdP includes role claim in the token for a new user NEXT AI will assign this role to the user. Changing the role claim for an existing user will not propagate the changed role to NEXT AI.

NEXT AI does not support signing (AuthnRequestsSigned and WantAssertionsSigned in the SP SSO descriptor) nor token encryption.

Typically the federation metadata can be exported from the IdP either as a XML file, or as a "live URL". NEXT AI generally prefers a live URL, as that means we are not coupled to (nor do we need to be involved) when the enterprise needs to change the metadata. The IdP is already accessible through the internet, so this generally should not be a problem. If there are concerns about exposing the metadata through a public URL, please do contact Customer Success.

Yes, NEXT AI supports Single Sign-On using the SAML 2.0 standard, allowing users to log in with their existing enterprise identity provider.

NEXT AI integrates with Okta, Azure AD (Entra ID), Google Workspace, OneLogin, Ping Identity, and other SAML-compliant IdPs.

Administrators can configure SAML SSO by uploading metadata from the identity provider to the NEXT AI Settings & Members > SSO. Detailed setup guides are available for Okta, Azure, and Google Workspace.

Yes, NEXT AI currently supports SAML 2.0 for enterprise-grade authentication. Other protocols like OAuth and OpenID Connect are not supported for SSO login.

SSO relies on your company’s identity provider to authenticate users across multiple applications. Passwordless authentication is NEXT AI's default authentication mechanism which removes the need for a password but still requires a unique login per user account.

Yes, administrators can mandate SAML SSO as the exclusive login method for all users within their tenant.

Yes, SSO centralizes authentication, supports audit logging, and reduces the risk of credential misuse — aligning with best practices recommended by NIST and Gartner.