SSO guide

SSO guide for Business & Enterprise

Set up SAML 2.0 Single Sign-On for your organization.

Single Sign-On (SSO) lets your team authenticate through your organization's identity provider and access Magnific without separate credentials. SSO is available on Business and Enterprise plans.

SSO uses the SAML 2.0 protocol to securely exchange authentication data between your identity provider (IdP) and Magnific. When a user attempts to log in, they are redirected to your organization's IdP for authentication. Once verified, they gain access to Magnific without entering additional credentials.

Key benefits include:

Enhanced security through centralized authentication
Simplified access management for administrators
Reduced password fatigue for team members
Automatic user provisioning
Compliance with enterprise security policies

SSO availability by plan

Feature	Business	Enterprise
SSO via SAML 2.0	Yes (self-service)	Yes (advanced)
Domain verification	Yes	Yes
Multiple domains	Limited	Unlimited
Dedicated SSO support	No	Yes

Before you begin

To configure SSO you will need:

Administrator access to your Magnific Business or Enterprise account.
Administrator access to your identity provider (Okta, Microsoft Entra ID, Google Workspace, or another SAML 2.0 provider).
Access to your domain's DNS settings for domain verification.
The Magnific SAML values listed below (available in Settings → Security SSO in your Magnific admin panel).

Magnific SAML values

These values are the same regardless of which identity provider you use. Copy them from Settings → Security SSO in your Magnific admin panel.

Entity ID (Audience): https://magnific.ebundletools.com/__magnific_id__/sp
ACS URL (Reply URL): shown in your SSO settings panel. Each organization has a unique identifier appended to this URL.
Sign-on URL: shown in your SSO settings panel.

Required attribute mappings

All identity providers must send the following three attributes. Use Unspecified as the Name Format for each one.

Attribute name	Source attribute
email	user.mail
first_name	user.givenname
last_name	user.surname

Step 1: Verify your domain

Before configuring your identity provider, you must verify ownership of your company domain.

Go to Settings → Security SSO in your Magnific admin panel.
Enter your company's domain (e.g., yourcompany.com). This is the domain after the @ symbol in your employees' email addresses.
Copy the verification code provided by Magnific.
Log in to your DNS provider (e.g., GoDaddy, Cloudflare, AWS Route 53) and add a new TXT record at the root domain with the verification code as the value.
Return to Magnific and click Verify domain.

DNS propagation may take up to 48 hours but typically completes within minutes.

Step 2: Configure your identity provider

Magnific supports any SAML 2.0 compatible identity provider. In all cases you will create a new SAML application, paste the Magnific SAML values, configure the required attribute mappings, assign users, and download the IdP metadata XML for the next step.

Okta

In your Okta Admin Console, go to Applications → Create App Integration and select SAML 2.0.
Name the app Magnific. Click Next.
In SAML settings, paste the Entity ID into Audience Restriction, and the ACS URL into Single Sign On URL, Recipient URL, and Destination URL.
Configure the three attribute mappings (email, first_name, last_name).
Click Next, select I'm an Okta customer adding an internal app, then click Finish.
Go to the Assignments tab and assign the app to the users or groups who need access.
Go to the Sign On tab and copy the Metadata URL or download the metadata XML.

Microsoft Entra ID

In the Microsoft Entra admin center, go to Identity → Applications → Enterprise applications → New application. Create your own application named Magnific.
Click Set up single sign on and select SAML.
In Basic SAML Configuration, paste the Entity ID, ACS URL, and Sign-on URL.
Under Attributes and Claims, configure the three attribute mappings (email, first_name, last_name).
In the SAML Certificates section, download the Certificate (Base64) and copy the App Federation Metadata URL.
Go to Users and groups and assign the users or groups who need access.

Google Workspace

Sign in to your Google Admin console (admin.google.com) with a super administrator account.
Go to Apps → Web and mobile apps → Add app → Add custom SAML app.
Name the app Magnific. Click Continue.
Download the IdP metadata XML from the Google Identity Provider details page. Click Continue.
Enter the Entity ID, ACS URL, and Sign-on URL as service provider details.
Add the three attribute mappings (email, first_name, last_name). Click Finish.
In the app settings, click User access and enable the app for your users or organizational units.

Other providers like Duo, OneLogin, Auth0, and Ping Identity also work with the same Magnific SAML values and attribute mappings.

Step 3: Complete setup in Magnific

Return to Settings → Security SSO in Magnific.
Upload the metadata XML file from your identity provider.
SSO starts in Flexible mode by default so you can test without disrupting existing logins.
Once confirmed working, choose your preferred enforcement mode.

Enforcement modes

After configuring SSO, choose how strictly it is enforced across your organization:

Mode	Behavior
Flexible	Users can sign in via SSO or email and social login. Ideal for testing before full rollout.
Restricted	Existing users keep email and password login. New registrations are blocked outside of SSO.
Strict	All users must sign in via SSO only. Email and password login is disabled.

Start with Flexible mode to verify the configuration works. Once confirmed, switch to Restricted or Strict.

Troubleshooting

Email address not valid error

This error occurs when the SSO Attribute Statements are not correctly configured in your Identity Provider (IdP).

Our system expects specific user attributes to be sent during the SSO authentication process. If these attributes are missing, misnamed, or mapped incorrectly, the login will fail and return the “Given email address is not valid” error.

Verify that your IdP sends the three required attributes (email, first_name, last_name) with the correct source values and Unspecified name format.

Certificate error

This error occurs when there is an issue with the XML metadata file uploaded during the SSO configuration.

Specifically, the certificate included in the XML file is not valid or does not match the expected configuration. As a result, the system is unable to verify the identity provider and the SSO setup fails.

Common causes

The XML file uploaded is outdated.
The certificate in the XML does not belong to the active IdP.
The certificate has expired.
The XML file was modified manually and the certificate is malformed or incorrect.

How to fix it

Re-download the latest XML metadata from your identity provider.
Make sure the certificate in the XML is correct and active.
Upload the new XML file without modifying it.

If the error persists, contact your IT or security team to verify the certificate configuration in your IdP.

Frequently asked questions

Can I use SSO with multiple domains?

Yes. Business plans support a limited number of domains. Enterprise plans allow unlimited domains, which is useful for organizations with multiple subsidiaries or regional domains.

What happens to existing users when I enable SSO?

It depends on the enforcement mode. In Flexible mode, nothing changes. In Restricted mode, existing users keep their current login methods but new registrations are blocked outside SSO. In Strict mode, all users must use SSO.

Can I enforce SSO for all users?

Yes. Set the enforcement mode to Strict. All users with emails matching your verified domain will be required to sign in through SSO.

Which identity providers are supported?

Any provider compatible with SAML 2.0. This guide covers Okta, Microsoft Entra ID, and Google Workspace, but others (Duo, OneLogin, Auth0, Ping Identity) work with the same Magnific SAML values.