Single Sign-On (SSO)

SSO for your Notarize account lets you and all your teammates log into Notarize using the credentials stored in your organization's SAML Identity Provider (IdP). Examples of IdPs include ActiveDirectory, Auth0, Google, and Okta. With SSO, account and credential management are not handled by Notarize, but instead by your IdP.

Why SSO?

  • Users in your organization can log into Notarize without needing to enter their password every time.
  • SSO is compatible with parent/child org structures, allowing you to propagate certain teams/groups to a respective child org upon SSO login.
  • Streamline new user onboarding with just-in-time user provisioning (JIT provisioning). Users will be created and updated automatically when they log in through SSO, allowing you to scale your operation with Notarize faster.


  1. Once SSO is configured, users' former Notarize account passwords will no longer work, unless they are organization admins.
  2. Users' former Notarize account usernames will no longer work if those usernames do not match existing usernames in your organization’s IDP.
  3. This documentation assumes that you already have a SAML Identity Provider (IdP). If you do not have a SAML IdP, you can use any IdP that supports SAML 2.0 such as ActiveDirectory, Auth0, Google, and Okta.
  4. This documentation assumes you are on a "Pro" pricing tier. See our pricing page for more details.

Configuring SSO

Service Provider (SP) Configuration

To configure SSO on your Notarize account, you'll need to provide Notarize with the following information from your IdP:

  • Entity ID
  • Target URL
  • X509 client certificate

You can enter these parameters individually, or provide a metadata file or metadata URL.

An organization admin can enable SSO and enter this information in Settings >> Team Security:


Production IdP Configuration

The IdP needs to be configured with the following Notarize SAML data:

Fairfax (Test) IdP Configuration

The IdP test environment needs to be configured with the following Notarize SAML data:

SAML Attributes

These attributes are sent from the IdP to Notarize, in order to provision accounts on-the-fly, assign specific roles (e.g. admin vs. team member), and create users in child organizations.

Keep in mind the following required attributes:

  • nameid
  • first_name
  • last_name
  • email
  • roles (strongly recommended)

Read more about the available SAML attributes below:

Attribute NameAttribute Description
nameid (required)A unique, immutable identifier for the user. Can be an ID number, email address, username, etc.
first_name (required)User's first name
middle_name (optional)User's middle name
last_name (required)User's last name
name (optional)User’s full name, e.g. “John Patrick Smith Jr.”
email (required)User's email address
roles (strongly recommended)An array of strings designating the user's roles. Choose any subset of the following:

- admin will make the user an admin
- employee will make the user a team member- notary will make that user an in-house notary for that organization

If omitted, the default role of employee will be assigned to the user. This applies to existing users as well (i.e. an Admin user would lose their admin privileges if admin is not specified for them).
organization_id (optional)A Notarize organization ID. If specified, the user will be added to this org, otherwise they'll be added to the org where SSO was configured. Use this attribute if you'd like to sign a user into a specific child org.
notary_state (optional, but required if roles includes notary.The notary’s state of operation, as an abbreviation.
AZ or az
notary_languages (optional, but required if roles includes notary.An array of strings representing languages spoken by the user (notary). Supported values are en and es.
e.g. [en], [en, es]