Enable SSO for Notion

Purpose

Notion offers single sign-on via SAML integration with Practice Protect. This provides a seamless login experience to the Notion platform using IdP-initiated SAML.

Important! Guests are not supported with SAML SSO on Notion. Also, Workspace owners will always have the option to bypass SAML SSO by using their email and password credentials. This is to allow them to access Notion in the event of IdP/SAML failure. They will be able to log in and disable or update their configuration.

Practice Protect will configure this on your behalf. Please send us an email at [email protected]

Pre-requisites

• Your Notion workspace must be on a Business or Enterprise Plan

• Active Notion account with administrator rights for your organization (Note: this can be your account so you don’t have to pay and create for another license account)

• At least one domain has been verified by a Workspace owner in Notion. Click here on how

• Admin Access to Practice Protect
• Username/Email for staff should match the login names in Practice Protect.

Instructions

1. Login to your Practice Protect and switch to Admin portal (ex. mydomain.practiceprotect.app)
2. On Core Services, Click on Roles > Add Roles. Create a role and set the name field to “Notion SSO Users“. Then Save.
3. With the created role, click on Members > Add. Add each member/user that will be part of the SSO. Then Save.
4. From the Apps & Widgets, go to Web Apps section. Then, choose Add Web Apps on the top right corner.
5. On the app catalog, search for “Notion” and Add the app Notion “SAML”. Hit “Yes” to add the application.
6. The application that you just added opens to the Settings page. Set the Name to “Notion SSO” then click Save. Note: You can change the name, category or logo based on your preference.
7. Click on Trust > On Identity Provider Configuration and select Metadata. Down below click on Copy XML to copy the Metadata in XML format and temporarily put it in a Notepad app. You will need this details later.
8. On the SAML Response, Attributes section, click Add. Then, add the below:
   Attribute Name: email
   Attribute Value: LoginUser.Username
9. Removed all the existing script from the Custom Logic as this will be automated.
   Click Save to apply changes.
10. Login to Notion as Admin. Go to Settings & Members, then select the Settings tab.
    

11. In the Allow Email Domain section, remove all email domains. Click Update if any changes were made.

    

12. Then select the Identity & Provisioning tab.

13. Toggle on Enable SAML SSO and click  Edit SAML SSO Configuration. The modal will pop up and prompt you to complete the set-up.

    
    The SAML SSO Configuration is divided into two parts: The Assertion Consumer Service (ACS) URL is to be entered in your Identity Provider (IDP) portal. The Identity Provider Details is a field in which either an IDP URL or IDP metadata XML must be provided to Notion.

14. Copy the Assertion Consumer Service (ACS) URL and and temporarily put it in a Notepad as well.
15. On the Identity Provider Details, Select Identity Provider Metadata XML and paste the XML data you copied from Step 7.
16. Hit Save Changes.
17. Go back to Notion App Settings in the Practice Protect Admin Portal. Then, proceed Trust > Service Provider Configuration > Click Manual Configuration
18. For the SP Entity ID / SP Issuer Audience, remove the existing URL and paste this URL instead:
    https://www.notion.so/sso/saml
19. Paste the Assertion Consumer Service (ACS) URL that you copied from Step 13 to the Assertion Consumer Service (ACS) URL
20. On Sign Response or Assertion, select Both.
21. Hit Save.

Enable SCIM Provisioning

Note: Please turn off Just-in Time provisioning if you are using SCIM provisioning

1. Return to Notion > Settings & Members > Identity & Provisioning
2. On SCIM Provisioning, click Add Token. This will generate a token which we will need later
3. Copy the token and the SCIM base URL under Setup informationSCIM base URL: https://www.notion.so/scim/v2
   
   
4. Go back to the Web App Notion SSO in the Admin Portal. Then proceed to Provisioning
5. Tick the box for Enable Provisioning for this application.

    

   Hit Yes if prompted for confirmation

6. Follow the below settings:
   1. Live Mode is selected
   2. SCIM Service URL – paste the scim base URL from Step 3
   3. Authorization Type –  select Authorization Header
   4. Header Type: Bearer Token
   5. Bearer Token – paste the token generated from Step 3
7. Hit Verify
8. Sync Options: Select Sync (overwrite) users to target application when existing users are found with the same principal name
9. User Deprovisioning Options: Set Disable User
10. Under Role Mapping, click Add.
11. On Role dropdown, choose Notion SSO Users role.
12. Click Add Destination Group and select Notion SSO Users too. Hit Done
13. Click Save to apply.
14. Go to Settings > Outbound Provisioning. Select Notion on provisioning enabled applications
15. Start Sync.
16. Click View Synchronization Job Status and Reports to check the Status.

Enforce & Enable Single Sign On

1. Go back to Notion > Settings & Members > Identity & Provisioning > SAML Single Sign-On (SSO)
2.  To ensure that users can only log in using SAML SSO and no other method, update the Login method to ONLY SAML SSO. SAML SSO will only be enforced for users with your verified domain and who have access to the primary workspace or a linked workspace.
3. Make sure that Automatic account creation is disable if SCIM Provisioning is enabled.
   This allows new user signing in via SAML SSO to join the workspace automatically as a member.
4. Return to Notion app settings in the Practice Protect Admin Portal.
5. On Permissions settings, add the role which contains the Notion SSO users. (i.e. Notion SSO Users) and Save.
6. This completes the process of enabling Notion SSO. Users should be able to securely access the app through Practice Protect.
7. When signing in directly to the app,  enter your email address and click on “Continue with SAML” and use Practice Protect credentials.