Skip to main content
Single Sign-On (SSO) lets your team sign in to Cassidy using your existing identity provider (IdP) — like Okta or Microsoft Entra ID (formerly Azure AD). Once enabled, users authenticate through your IdP instead of managing a separate Cassidy password.
SSO is available on Enterprise plans only. Contact us to learn more or upgrade.

Enable SSO

1

Open organization settings

Click your account name at the bottom of the sidebar, then click the gear icon next to your organization name.
2

Go to Single Sign-On

In the left sidebar, click Single Sign-On. You’ll see the SSO configuration panel.
SSO configuration page in Organization Settings
3

Enable SSO

Toggle Enable SSO on. This reveals the configuration fields you’ll need to connect your identity provider.
Enable Single Sign-On toggle and configuration fields

Configure your identity provider

Choose your IdP below and follow the setup steps.
1

Create a SAML 2.0 application in Okta

In your Okta admin dashboard, go to ApplicationsCreate App Integration. Select SAML 2.0 as the sign-in method.
Okta Create App Integration dialog
Okta sign-in method selection with SAML 2.0 selected
2

Configure SAML settings

Enter the following values from the Cassidy SSO configuration page:
Okta fieldValue
Single sign-on URLCopy from Cassidy SSO settings
Audience URI (SP Entity ID)Copy from Cassidy SSO settings
Okta SAML settings showing Single sign-on URL and Audience URI fields
3

Add attribute statements

Map the following user attributes so Cassidy can identify users:
NameValue
emailuser.email
firstNameuser.firstName
lastNameuser.lastName
Okta attribute statements mapping email, firstName, and lastName
4

Assign users to the app

In Okta, go to the Assignments tab of your new app and assign it to the users or groups who should have access to Cassidy.
Okta Assignments tab for assigning users and groups to the Cassidy app
5

Copy Okta values back to Cassidy

After saving the Okta app, go to the Sign On tab and copy the following values into Cassidy’s SSO settings:
  • Sign on URL (also called SSO URL or Login URL)
  • Issuer (also called Entity ID)
  • Signing Certificate (download the X.509 certificate)
Okta Sign On tab showing the SSO URL, Issuer, and certificate download

Verify and enable

After entering your IdP settings into Cassidy, click Verify and Enable to activate the SSO connection.
Cassidy SSO configuration with Verify and Enable button

Verify your domain

You also need to verify that you own the email domain your team uses to sign in.
1

Add your domain

In the Cassidy SSO settings, click Add Verified Domain and enter the email domain you want to enable for SSO (e.g., yourcompany.com).
Add Verified Domain dialog
Enter domain name field for SSO verification
2

Add the DNS record

Cassidy will provide a TXT record to add to your domain’s DNS settings. Copy the record value and add it to your DNS provider.
DNS TXT record value to add to your domain for verification
DNS changes can take up to 48 hours to propagate, but most providers update within a few minutes.
3

Initiate verification

Once you’ve added the TXT record to your DNS provider, return to Cassidy and click Verify Domain.
Verify Domain button in Cassidy SSO settings
4

Confirm verification

Once the TXT record is detected, your domain is verified and SSO is active.
Domain verified successfully confirmation
SSO is now enabled. Team members with email addresses on this domain will be redirected to your identity provider when signing in.

Set up SAML group mappings

SAML group mappings let you map attributes in your identity provider’s SAML response to Cassidy groups. This allows you to centrally manage user access in your IdP and have Cassidy automatically provision the right permissions when users sign in. When a user signs in through your IdP, Cassidy checks the user’s SAML assertion and adds the user to Cassidy groups based on the mappings you’ve configured.

Important behavior

  • Case-sensitive — Attribute keys and values must match exactly.
  • Additive only — Cassidy adds users to groups when a mapping matches, but does not remove users from groups if the attribute is later removed in your IdP. Users also keep any groups they were already in.
  • Multi-value attributes supported — If an attribute contains multiple values (e.g., a groups attribute with a list of group IDs), the mapping matches if any of the values exactly equals the mapping’s configured value.

Prerequisites

Before turning on mappings, make sure you understand exactly what attributes your IdP is sending in the SAML assertion — mappings only work if the attribute key and value are correct.
  • Many IdPs require you to explicitly configure which attributes (including group membership) are included in the SAML assertion. If group membership isn’t being sent, Cassidy won’t have anything to map.
  • Microsoft Entra ID often sends group Object IDs rather than group names. If you map by group, you typically need to use the ID values Entra ID sends.
  • It’s recommended to inspect and validate a SAML response to confirm the exact attribute key and value your IdP is sending (e.g., using samltool.com) before creating mappings.
  • SSO must be enabled for your organization before you can configure group mappings.

Configure mappings

1

Open Group Mappings

In Organization SettingsSingle Sign-On, click the Group Mappings tab.
Single Sign-On page in Organization Settings with Group Mappings tab highlighted
2

Create a new mapping

Click Add Group Mapping to create a new mapping rule. Enter:
  • SAML Attribute Key — The attribute name your IdP sends (e.g., groups, memberOf, or a custom attribute).
  • SAML Attribute Value — The specific value to match (e.g., a group name or group Object ID, depending on your IdP).
  • Cassidy Group — The Cassidy group to assign users to when the match is found.
Add Group Mapping form showing SAML attribute key, value, and Cassidy Group fields
3

Ensure your IdP sends group attributes

Your IdP must include group membership in the SAML assertion under the same attribute key you configured in the mapping. If group membership isn’t being sent, Cassidy won’t have anything to map.
In Entra ID, add a Group Claim in the Attributes & Claims section of your SAML application and set a custom claim name (e.g., groups). Entra ID typically sends group Object IDs rather than names, so use the ID values as your SAML Attribute Value.
Entra ID Attributes and Claims section showing Group Claim configuration
4

Add mappings for each group

Back in Cassidy, repeat step 2 for each group you want to map. The key should match the attribute name your IdP sends, and the value should match the exact value sent by your IdP for each group.
Completed SAML group mappings with multiple groups configured
To learn more about creating and managing groups in Cassidy, see Assign roles and groups.
5

Save and test

Click Save. Mappings are applied the next time users sign in via SSO. Have a team member sign in to verify they are automatically assigned to the correct Cassidy groups based on their SAML group membership.
Group mappings are active. Users will be automatically assigned to Cassidy groups on their next SSO login.

Next steps

Assign roles and groups

Create and configure the Cassidy groups that SSO maps to.

Invite team members

Manually invite users who aren’t covered by SSO.