Skip to main content

Single Sign-On (SSO) with SAML

Rick avatar
Written by Rick
Updated over a week ago

At a glance

Single Sign-On (SSO) is an authentication process that allows users to access multiple applications with a single set of login credentials. Instead of managing separate usernames and passwords, employees sign in once through a trusted identity provider (IdP). This reduces password fatigue, improves security, and simplifies compliance management. NEXT AI supports Security Assertion Markup Language (SAML 2.0) for Single Sign-On.

NEXT AI’s SSO Support with SAML

NEXT AI supports Security Assertion Markup Language (SAML 2.0) for Single Sign-On. SAML is an industry-standard protocol for exchanging authentication and authorization data between an identity provider and a service provider. With SAML-based SSO, enterprise users can securely authenticate to NEXT AI using their existing corporate identity systems.

Supported Identity Providers

NEXT AI integrates with major enterprise identity providers, including:

  • Okta

  • Azure Active Directory (Entra ID)

  • Google Workspace

  • OneLogin

  • Ping Identity

Benefits for Enterprises

  • Stronger security through centralized identity management

  • Reduced password-related risks and IT support tickets

  • Faster onboarding and off-boarding with automated account provisioning

  • Improved compliance with enterprise security policies

Benefits for Users

  • Users can use their existing company credential to access NEXT AI

  • Reduced password-related risks

Login flow with SSO

Administrators can configure SAML SSO in the Settings & Members > SSO by exchanging metadata with the chosen identity provider. Once enabled, users are redirected to the corporate login page for authentication before accessing NEXT AI.

  • Log in with SSO becomes available on the login page of the workspace

  • Clicking Log in with SSO will forward the user to the organization's identity provider (e.g. Active Directory)

  • The identity provider authenticates the user and sends the user back to NEXT AI

  • NEXT AI checks if the authenticated already has an account. If not, a new account is created on the fly. This provides seamless access

  • The user is logged into NEXT AI

How to set up SSO (step-by-step guide)

Follow these steps to enable SAML SSO:

Step 1 : Find SAML input

Log into NEXT with an Administrator account and go to Settings & Members > SSO. Copy the various inputs, like Entity ID, that you will need to set up your identity provider. For example:

Step 2 : Configure your identity provider

Step 2.1 : Create application in your identity provider

  • Set up an application for NEXT AI in your identity provider (e.g. Microsoft's Azure Active Directory). Use above input value for "Entity ID", "Reply URL", etc.

  • Configure the application logo so that users can identify the application in the application directory (please find the logo attached to this article)

Here an example from Azure Active Directory:

Step 2.2 Configure the claims provided by the identity provider to NEXT AI

Claim

Contents

Required?

NameID

Unique identifier.

This must use the "persistent SAML Name ID format."

Required

role

Initial user role in the NEXT application

Each user must have exactly one of the available roles: admin, user, guest

This value is only used when initially provisioning a user, afterwards, the user role can be adjusted through NEXT's administrative interface

Optional (default is "user")

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Email address of the user for receiving mails.

This should be in the regular RFC822 format (user@domain.tld; an initial display name for a new user can be set by encoding it here as "Display Name" <user@domain.tld> )

Required

Here an example from Azure ActiveDirectory (AD):

Step 2.3 Assign the users that should be able to use NEXT AI to the application

Step 3 Enter metadata URL in NEXT AI

Get the "Federation Metadata URL" for the application from your identity provider, e.g. for Azure Active Directory:

Copy the metadata URL in the NEXT SSO configuration page.

Please inform NEXT AI if you wish migrate any non-SSO users to SSO (see below section on "Migrate existing non-SSO users to SSO").

Migrate existing non-SSO users to SSO

If you enable SSO after having uses NEXT AI for a while, you may already have users with a NEXT AI account that you'll want to migrate to log in with SSO instead of email/password.

In a nutshell: Without SSO, users prove that they own their NEXT AI account by typing in their email/password. With SSO, users prove ownership via a token granted by the SSO IdP, showing that they own the email address associated to the NEXT AI account. This means if a user logs in via SSO: NEXT checks if there is already an existing NEXT AI account with the same email address. If so, it binds the existing NEXT account to the SSO identity. If not, a new NEXT AI account is created for the user.

Before moving to SSO, please validate the email addresses of all users in the Settings & Members. User email addresses in NEXT AI directory must match the ones registered in their SSO identity.

Additional Considerations

Combining SSO-Only or SSO+non-SSO?

By default, NEXT AI manages users in a user directory for you, and you can add SSO as an additional sign-in option for your users. Any existing users can use the user directory, and newly invited users will be added to the NEXT AI user directory.

Depending on the particular details of your organization however, it could be required to enforce the use of SSO. In this case, users must authenticate through your identity provider. The "Invite user" functionality can be used to send out invitation links to new users (taking into account any configured Signup domain restrictions), but whether the user can accept the invitation depends on whether the account of the user in the identity provider has been configured to allow access to NEXT.

Note that the invitation emails right now do not indicate a SSO-only environment, and will contain a generic "Signup" link.

Note that this will impact also accounts that you might have created for NEXT's Customer Success/Support. There are different options to ensure smooth interactions with NEXT in a SSO-only setup:

  • You can add the NEXT account to your SSO IdP.

  • You can sign up for a free NEXT instance and reproduce the issue there. This can then be share with NEXT Support.

  • You can organize a screen share session with NEXT Customer Success and a user who has SSO access.

SP-Initiated or IdP-Initiated Sign-In

NEXT AI assumes an SP-initiated sign-in, i.e. users go to NEXT AI via https://TENANT.nextapp.co, and from there get pointed to the IdP for signing in.

Right now it is not possible to configure the application for a pure IdP-initiated sign-in experience due to technical limitations. In case IdP-initiated sign-in is needed (for example for an application directory for users), the application in the directory should be configured to go to the https://TENANT.nextapp.co URL.

Role Management

NEXT user roles are managed inside the NEXT AI administrator interface for existing (and invited) users. If the IdP includes role claim in the token for a new user NEXT AI will assign this role to the user. Changing the role claim for an existing user will not propagate the changed role to NEXT AI.

Signing and Token encryption

NEXT AI does not support signing (AuthnRequestsSigned and WantAssertionsSigned in the SP SSO descriptor) nor token encryption.

Federation Metadata URL or file?

Typically the federation metadata can be exported from the IdP either as a XML file, or as a "live URL". NEXT AI generally prefers a live URL, as that means we are not coupled to (nor do we need to be involved) when the enterprise needs to change the metadata. The IdP is already accessible through the internet, so this generally should not be a problem. If there are concerns about exposing the metadata through a public URL, please do contact Customer Success.

FAQ

Q: Does NEXT AI support Single Sign-On (SSO)?

Yes, NEXT AI supports Single Sign-On using the SAML 2.0 standard, allowing users to log in with their existing enterprise identity provider.

Q: Which identity providers are compatible with NEXT AI’s SSO?

NEXT AI integrates with Okta, Azure AD (Entra ID), Google Workspace, OneLogin, Ping Identity, and other SAML-compliant IdPs.

Q: How do I enable SSO in NEXT AI?

Administrators can configure SAML SSO by uploading metadata from the identity provider to the NEXT AI Settings & Members > SSO. Detailed setup guides are available for Okta, Azure, and Google Workspace.

Q: Is SAML the only SSO protocol supported by NEXT AI?

Yes, NEXT AI currently supports SAML 2.0 for enterprise-grade authentication. Other protocols like OAuth and OpenID Connect are not supported for SSO login.

Q: What is the difference between SSO and passwordless authentication in NEXT AI?

SSO relies on your company’s identity provider to authenticate users across multiple applications. Passwordless authentication is NEXT AI's default authentication mechanism which removes the need for a password but still requires a unique login per user account.

Q: Can I enforce SSO for all NEXT AI users in my organization?

Yes, administrators can mandate SAML SSO as the exclusive login method for all users within their tenant.

Q: Does SSO improve compliance for enterprises?

Yes, SSO centralizes authentication, supports audit logging, and reduces the risk of credential misuse — aligning with best practices recommended by NIST and Gartner.

Did this answer your question?